data-visualization

[Skill Scanner] Pipe-to-shell or eval pattern detected The skill itself is coherent with its stated purpose (data visualization) and contains legitimate plotting examples. However, it routes runnable examples and user-supplied code/data through a third-party managed service (inference.sh) and instructs users to install that CLI via a curl | sh pipeline. These two factors increase supply-chain and data-exfiltration risk: users could accidentally send sensitive data or run malicious installer code. There is no evidence of embedded malware in the skill text, but the distribution/execute pattern and lack of documentation about data handling make this skill SUSPICIOUS for users who expect local-only execution. Recommend: treat the remote CLI and installer as untrusted until verified, avoid sending secrets or private data in example payloads, and prefer installing software from verifiable sources (signed releases, checksums). LLM verification: The skill’s content is instructional and benign in purpose, but the distribution and execution patterns present meaningful supply-chain and data-exfiltration risk: a curl|sh installer and examples that send arbitrary code to a hosted python-executor. There is no evidence of embedded malware or obfuscated payloads in the provided text, but the installer and remote-execution model require trusting inference.sh with code, credentials, and data. Recommendation: treat the package as potentially risky