video-prompting-guide

[Skill Scanner] Pipe-to-shell or eval pattern detected The file is a benign and useful guide for crafting AI video-generation prompts. The primary security concern is the recommended pipe-to-shell installation (curl ... | sh) and the allowed-tools declaration that implies broad shell capabilities. These represent a supply-chain and privilege-exposure risk because executing an unverified remote installer can lead to arbitrary local code execution and potential data access/exfiltration by the installed CLI. There is no direct evidence in this document of malware, obfuscation, or credential harvesting, but absence of the installer code prevents full assessment. Users should treat the install pattern as high-risk and prefer verified installation methods, signature/checksum verification, or code review prior to execution. LLM verification: This SKILL.md is a legitimate-looking prompt-engineering guide that instructs users to install and use a third-party CLI (inference.sh) and to add skills via npx. The primary supply-chain risk is the documented curl -fsSL https://cli.inference.sh | sh (pipe-to-shell) pattern which downloads and executes remote code without verification — a high-risk distribution pattern. The guide routes prompts and auth through the inference.sh service (centralized data flow) but does not itself contain visible