ai-image-generation

The skill documentation describes a legitimate image-generation platform and the commands are consistent with that purpose. However, it contains multiple supply-chain and credential-forwarding risks: a curl|sh installer (download-and-execute), infsh login which collects credentials and forwards data to a third-party platform, and explicit instructions to install additional skills via npx (transitive code execution). These patterns are common for legitimate CLIs but increase attack surface and require users to trust inference.sh and any transitive skill packages. No clear evidence of malware or obfuscated malicious code is present in the provided text, but the documented install-and-run patterns warrant caution: verify checksums, prefer manual verification over piping remote scripts to shell, limit credential exposure, and audit any transitive skills before installing.