ai-social-media-content

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill's stated purpose (AI-driven social media content generation) aligns with the commands and apps used. However, it uses risky supply-chain patterns: a pipe-to-shell installer (curl | sh https://cli.inference.sh) and unpinned npx package installs, and it routes operations through an intermediary CLI/service (inference.sh) which may receive prompts, media, and authentication tokens. There are no hardcoded secrets or visible obfuscated malware, but the installer + credential forwarding risk and unpinned dependencies make this skill SUSPICIOUS from a supply-chain/credential-exposure perspective. Recommend avoiding run-once curl|sh installs without reviewing the installer and verifying trust of inference.sh, pinning packages, and auditing how infsh stores/uses credentials before use. LLM verification: The skill documentation legitimately describes an automation workflow for multi-platform AI-generated content. The primary security concerns are supply-chain and data-flow: (1) the curl | sh installer is a high-risk download-and-execute vector and must be audited before use; (2) the infsh CLI centralizes credentials and may proxy requests, creating an elevated risk of credential exposure or unintentional data exfiltration if the backend or installer is compromised; (3) examples include automated