web-search

This skill README documents a client (infsh) that installs a vendor-provided CLI and runs hosted apps (Tavily/Exa) for web search and extraction. The primary security concerns are supply-chain and data-flow: the README endorses a curl|sh install pattern that executes a remote installer (high-risk), and all user queries/URLs and authentication tokens are transmitted to the vendor’s hosted services (moderate risk) without clear documentation of token scopes, storage, or data retention. There are no hardcoded secrets or obvious obfuscated payloads in the README itself, but the download-and-execute installer and the centralized routing of potentially sensitive inputs to an external service justify caution. Recommend: avoid piping remote scripts directly to shell; verify checksums from a separate trusted channel; review the infsh CLI source code or obtain it from a trusted package manager if available; treat any sensitive URLs or secrets as off-limits for these apps unless the vendor’s privacy and retention policies are reviewed.