image-upscaling

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs include a direct "curl | sh" install script hosted on an unverified domain (cli.inference.sh / inference.sh), which is a high‑risk pattern for malware distribution even though the other links are mostly docs/images.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill's SKILL.md examples (Quick Start and "Upscale Any Image") show it fetching arbitrary image URLs via the inference.sh CLI (e.g., infsh app run ... --input '{"image_url":"https://your-image.jpg"}'), meaning untrusted third-party content is ingested and directly influences processing/output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start explicitly runs code at runtime via "curl -fsSL https://cli.inference.sh | sh" (https://cli.inference.sh), which fetches and executes remote code and is a required dependency for running the infsh apps.