ai-avatar-video

This skill README documents a legitimate-looking cloud-based AI avatar/video workflow, but it includes several supply-chain and data-exposure risks. The most significant issues are the curl | sh install pattern (download-and-execute), reliance on remote binary distribution, and encouragement of transitive skill installation (npx skills add) which expands the trust surface. The workflow necessarily sends user media and likely credentials to external inference endpoints; this is expected for a hosted inference platform but should be considered sensitive. There is no direct evidence of obfuscated or intentionally malicious code inside this README itself, nor explicit credential harvesting code; however the combination of download-execute and transitive installs raises the securityRisk to moderate-high. Recommend manual verification of the installer (verify checksums before running), prefer package-manager installs with pinned checksums or signed releases, audit any transitive skills before adding them, and review the CLI's authentication and data-retention/privacy behavior before sending sensitive media or credentials.