ai-podcast-creation

This skill's stated purpose (AI podcast creation) aligns with its capabilities: orchestrating TTS, music generation, and media merging via a hosted CLI and cloud-hosted apps is coherent. However, there are multiple supply-chain and data-flow risks: the README promotes a curl|sh installer (download-and-execute), requires users to authenticate to a third-party service (credential exposure potential), routes all processing through remote inference apps (user documents and audio are sent to third-party endpoints), and encourages transitive installation of other skills (npx add). These behaviors are proportionate to a hosted-service workflow but increase attack surface and demand elevated trust in inference.sh and any transitive packages. Recommended mitigations: avoid curl|sh installation or provide an audited release bundle and clear signature verification; document exact token scopes and storage; warn users about sending sensitive documents to remote services; avoid instructing automatic skill installs or at least pin and review transitive skills. Overall risk is medium due to supply-chain and data-exfiltration vectors, not because the content appears intentionally malicious.