content-repurposing

[Skill Scanner] Pipe-to-shell or eval pattern detected This SKILL.md is functionally coherent with its stated purpose (content repurposing) and contains no direct malicious code in the document itself. However, it prescribes a risky install pattern (curl | sh) and delegates content, files, and credentials to external/inference.sh-managed apps (falai, google, x/post-create, etc.). Those operational behaviors create a plausible credential- and data-exfiltration vector if the installer or any app backend is malicious or compromised. Recommend caution: inspect the installer script before running, prefer manual installation or checksums, and review which app endpoints are used and how credentials are stored/forwarded. Overall: not obviously malware in this document, but moderate operational supply-chain risk due to installer and opaque third-party routing. LLM verification: SUSPICIOUS / CAUTION ADVISED. The skill's functionality (content repurposing via hosted inference apps) matches its documentation, but the recommended installation and operational patterns introduce meaningful supply-chain and privacy risks. The immediate red flag is the 'curl ... | sh' installer pattern. Additionally, routing content and credentials through a centralized third-party CLI/gateway without documented token handling or retention policies increases the potential for data exfiltration