ai-marketing-videos

[Skill Scanner] Pipe-to-shell or eval pattern detected The artifact is an instructional skill for producing AI marketing videos that depends on a third-party CLI (infsh) and hosted model endpoints. No direct, explicit malware is present in the provided content, but there are significant supply-chain and data-exposure risks: a pipe-to-shell installer recommendation, centralized hosted processing of user prompts and media, and use of external asset URLs and npm installs. Recommended mitigations: avoid running curl | sh without auditing the installer and verifying signatures; inspect the CLI source/binaries before granting credentials; treat generated workflows as involving third-party data processing (avoid uploading sensitive content); and lock down environment before running npx installs. Verdict: functional and useful for its purpose but SUSPICIOUS for supply-chain risk — proceed only after auditing installer and service behavior. LLM verification: The skill documentation is functionally benign in content and matches its stated purpose, but it instructs users to perform high-risk supply-chain actions: installing a remote CLI via a pipe-to-shell command and installing unpinned npm packages. There is no evidence of embedded malware in the document itself, but the recommended install/run flow materially increases the chance of remote compromise, credential capture, or data exfiltration depending on the trustworthiness of inference.sh and pack