pitch-deck-visuals

[Skill Scanner] Pipe-to-shell or eval pattern detected Functionally benign in itself: the skill's code and examples are consistent with the stated purpose (creating pitch-deck visuals) and do not contain direct malware payloads, hardcoded secrets, or obfuscated malicious logic. However, there are supply-chain/privacy risks: it instructs running a remote installer (curl | sh) and sends arbitrary HTML, Python code, and prompts to third-party hosted services (inference.sh and falai models). That behavior can legitimately be required for a hosted visual-generation workflow, but it concentrates risk — sensitive slide content and user credentials could be exposed if those services are untrusted or compromised. Recommended mitigations: inspect the remote installer before running (download and review the script), prefer local-only tools if slide content is proprietary, restrict agent allowed_tools to the minimum necessary, and verify the trustworthiness and privacy policy of inference.sh/falai before supplying confidential assets or login credentials. LLM verification: The provided skill content does not contain explicit malware in the example snippets, but it exhibits significant supply-chain and data-exposure risk due to the use of a pipe-to-shell installer and reliance on a third-party remote execution service that runs arbitrary HTML/Python. Treat this as SUSPICIOUS: the immediate code examples are benign, but the installation and execution model creates realistic opportunities for compromise, credential harvesting, or exfiltration if the inference.sh oper