press-release-writing

The press-release guidance is benign in intent and contains useful editorial templates. However, the operational instructions introduce moderate supply-chain and data-exposure risks: the inline curl|sh installer, execution of downloaded binaries from dist.inference.sh, and use of a remote CLI that accepts credentials and arbitrary query inputs. There is no evidence in the document of malware or obfuscated malicious code, but the recommended workflows could enable credential theft or remote code execution if the distribution or hosted apps are compromised. Recommend removing or de-emphasizing the pipe-to-shell quick-start, requiring explicit checksum/signature verification, documenting what data is transmitted and retained by inference.sh, restricting allowed shell tooling, and warning users against sending sensitive content to hosted apps.