youtube-thumbnail-design

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill is functionally consistent with its stated purpose (YouTube thumbnail design) and contains realistic examples that call a remote inference CLI and model providers. I did not find code-like constructs that perform credential theft, obfuscated payloads, or direct data-exfiltration in the skill text. However, there are notable operational security concerns: the Quick Start suggests piping a remote installer directly into sh without verification, the skill requires an infsh login (credentials will be transmitted to the remote service), and the allowed-tools permission is a broad wildcard which enables wide command execution via the infsh CLI. These factors raise moderate security risk for supply-chain or credential exposure if users follow the instructions without verifying the installer or trusting the service. Recommend caution: verify the installer (checksums/signatures), review infsh's privacy/retention and credential handling, and avoid granting overly broad agent permissions when possible. LLM verification: The activity described is coherent with its intended thumbnail-design purpose but relies on an unsafe installation method (curl | sh) that enables remote code execution and creates significant supply-chain risk. To improve security, replace the remote installer pattern with verifiable, signed binaries from a trusted registry, add integrity checks (checksums and/or signatures), and consider containerization or local, auditable builds. Include explicit version pinning and domain trust validation t