ai-voice-cloning

This skill documentation describes use of the inference.sh CLI to perform TTS and voice-cloning tasks. The primary security concerns are supply-chain and data-exfiltration risks: it recommends an unpinned curl | sh install of a remote CLI (dangerous), routes user text and media through a centralized third-party service (inference.sh), and encourages transitive installation of additional skills via npx. There are no explicit hardcoded secrets or visible backdoor code in the text itself, but the install-and-execute pattern, broad allowed tooling (Bash/infsh), and transitive installs raise moderate to high supply-chain risk. Recommended mitigations before use: avoid pipe-to-shell installs (download binary, verify checksums, inspect code), confirm the trustworthiness of inference.sh and dist.inference.sh, prefer pinned/verifiable releases, review what the infsh CLI stores/where credentials are sent, audit any npx-installed skills, and be cautious about sending sensitive prompts or URLs to the remote service. Overall: not confirmed malware, but a clear medium-high supply-chain and data-exposure risk.