building-inferencesh-apps

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are documentation/GitHub (low risk), but the included installer pattern (curl -fsSL https://cli.inference.sh | sh) fetches and directly executes a remote shell script—a high‑risk distribution vector—so treat the bundle as moderately high risk unless you fully trust the provider and have inspected the script.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's docs explicitly show downloading and processing arbitrary URLs (e.g., File.from in references/node-app-logic.md), calling external APIs in the API-wrapper example (SKILL.md), and pulling models via huggingface_hub.snapshot_download (references/python-patterns.md), meaning untrusted third-party content is fetched and consumed as part of normal workflows and could therefore influence app behavior.