character-design-sheet

The manifest serves a clear, workflow-aligned purpose to generate and stitch character reference assets using an external CLI and LoRA workflows. However, the installation path uses a curl -fsSL https://cli.inference.sh | sh pattern, which is a known supply-chain risk even with checksum verification. The primary risk stems from downloading and executing remote code at install time; runtime Prompts flow to an external CLI is typical but depends on trusted endpoints. Recommend replacing with a vendored or signed installer, pinning versions, or using a trusted registry, and ensuring explicit user consent for installation steps. Overall risk is elevated due to the initial download-execute pattern and external binary dependencies.