ai-content-pipeline

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill documentation is functionally coherent with its stated purpose (multi-step content pipelines) but presents significant supply-chain and data-exposure risks. The pipe-to-shell installer (curl | sh) and unpinned remote installer are the highest-risk elements. The workflow also forwards user prompts, media, and likely credentials to many third-party services without clear data governance. Recommend treating this as suspicious: do not run the installer without verifying its provenance and checksum; prefer installing via official package managers or pinned releases; audit which backends receive data and require minimal scopes/explicit consent. LLM verification: The documentation describes legitimate, useful workflows for building AI-driven media pipelines. The primary security concern is the installer pattern `curl -fsSL https://cli.inference.sh | sh` and the centralization of data/credentials via the infsh CLI/backend. These create supply-chain and data-exposure risks (arbitrary code execution at install, potential credential capture, and mass exfiltration of uploaded content). There is no direct indication of embedded malware or obfuscation in the RE