ai-music-generation

[Skill Scanner] Pipe-to-shell or eval pattern detected Functionally the skill is coherent: its capabilities align with the stated purpose (text-to-music via the inference.sh hosted apps). There are no direct signs of obfuscated malware or hidden backdoors in the provided content. However, the distribution/install method (curl | sh) and the need to run a third-party CLI that manages user tokens introduces supply-chain and trust risks. If you trust inference.sh, the risk is modest; if you do not, the installer and CLI token storage are the main attack surface. Recommend reviewing the installer script before executing and reviewing the CLI’s token storage/permissions. Overall this is not obviously malicious, but it has non-negligible supply-chain risk due to the remote installer and broad Bash tooling permission. LLM verification: The SKILL.md accurately documents using the inference.sh CLI to run hosted music-generation models and contains typical usage examples. There is no direct evidence of malicious code in the document itself. The primary security concern is the recommended installation pattern (curl ... | sh) which executes a remote script without verification and therefore creates a supply-chain risk. Additionally, prompts and input files are transmitted to the operator's servers, so sensitive data may be exposed.