social-media-carousel

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Suspicious — the site is an unverified .sh domain and the skill explicitly pipes a remote install script (https://cli.inference.sh) into sh, which allows arbitrary code execution from an unknown source and is a common malware distribution pattern with no clear trust signals or official package-manager provenance.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start installs and runs remote code via "curl -fsSL https://cli.inference.sh | sh" (fetching and executing https://cli.inference.sh), and the skill's runtime commands (infsh ...) depend on that CLI, so the URL directly executes remote code and is a required dependency.