video-ad-specs

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). These are downloads from a small/unknown domain that provides a remote install script (curl | sh) and platform binaries (dist.*) — the presence of a plain checksums.txt is a slight mitigation but piping an unsigned remote installer and fetching executables from an unvetted domain is risky and could be used to distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" (which downloads and executes a remote installer that in turn pulls binaries from dist.inference.sh) and that installer is required to get the infsh CLI used by the skill, so it clearly executes remote code at runtime.