product-hunt-launch

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). The domains inference.sh and cli.inference.sh are not well-known vendor sites and the skill explicitly instructs piping a remote shell script (curl ... | sh), which is a high-risk pattern because it downloads and executes code from an unverified third-party domain and could easily be used to deliver malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs web-search/search-assistant apps (e.g., the infsh commands "infsh app run tavily/search-assistant --input {'query': 'Product Hunt top launches this week SaaS tools'}" and "infsh app run exa/search --input {...}") and recommends adding a web-search app, which fetches and ingests open/public Product Hunt and web content (user-generated/community posts) that the agent is expected to read and interpret.