book-cover-design

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are suspicious because they instruct piping a remote install script into sh and downloading platform-specific binaries and a checksum from the same unvetted domain (inference.sh) rather than a trusted package manager or independently signed release — a common supply‑chain/malware vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start uses a runtime install command that executes remote code ("curl -fsSL https://cli.inference.sh | sh") which fetches an installer from https://cli.inference.sh (and downloads from dist.inference.sh) to provide the required infsh CLI used to run model prompts, so this is an external dependency that executes remote code and the skill depends on it.