image-to-video

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill's content and capabilities are coherent with its stated purpose: animating still images via hosted inference services. There is no direct evidence of malicious code in the skill text itself. However, there are operational security concerns: the Quick Start instructs users to run a remote install script via curl | sh (high-risk distribution pattern), and the declared allowed-tools (infsh *) grants broad permissions to the infsh client. Both increase the chance that sensitive images, prompts, or credentials could be uploaded to third-party services or that an installer might perform unintended local actions. Recommendation: treat this skill as suspicious until the infsh installer and provider data handling/privacy policies are verified; avoid running curl | sh blindly and prefer reviewing install scripts, using verified package manager installs or checksums, and restricting tool permissions to the minimum required. LLM verification: The document is an innocuous usage guide for animating images via remote AI models, but it contains a high-risk supply-chain/install pattern (curl | sh) and advocates centralizing uploads/authentication through a single third-party gateway (infsh) without transparency. There is no explicit malicious code in the file itself, but the installer pattern and unclarified data routing present meaningful risks: remote code execution at install time and potential credential/data exposure to an intermedia