email-design

[Skill Scanner] Pipe-to-shell or eval pattern detected LOW TO MODERATE RISK (Operational/Data-exfiltration concerns). The package content is documentation and examples intended for email design and image generation; there is no direct evidence of embedded malware. However, the documented install and runtime patterns (curl | sh installer, sending raw HTML/prompts to remote inference endpoints, and broad CLI permissions) create significant supply-chain and data-leak risks. Treat the remote CLI and inference endpoints as untrusted until the provider and installer are vetted. Recommended actions: do not run curl | sh without verification, review the infsh CLI source before use, sanitize any sensitive data before sending to remote services, and prefer verified installers or sandboxed execution. LLM verification: Functionally the skill matches its stated purpose, but it relies on a remote, opaque CLI and cloud services and uses a high-risk installation pattern (curl | sh). This raises supply-chain, credential, and data-exfiltration concerns. Before use, operators should: obtain and audit the CLI source or install via a verified package release; avoid piping unknown scripts to shell; confirm where credentials and tokens are stored and whether data sent to remote services is encrypted and retained; and pre