google-veo

This skill file is documentation for using the inference.sh CLI to run Google Veo video generation models. The primary security concerns are supply-chain and trust: it instructs users to run a remote installer via curl | sh and to install/run a third-party CLI binary fetched from dist.inference.sh. Those patterns create a significant trust boundary because a compromised installer or distribution host could execute arbitrary code or exfiltrate credentials. The skill also routes user prompts, inputs, and authentication to the inference.sh platform — users should assume prompts and uploaded inputs are sent to and potentially stored by that service. There is no direct evidence in this doc of obfuscated code or embedded malware, but the download-and-execute install pattern and credential forwarding to a third-party service elevate the security risk to a medium-high level. Recommendations: avoid pipe-to-shell installs, manually review and verify installer scripts and published checksums before executing, understand the platform's data retention and credential handling, and limit credentials/scopes used by the infsh CLI where possible.