dialogue-audio

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to a third‑party domain offering an install script (curl | sh) and downloadable binaries — a high‑risk pattern because piping and executing remote shell scripts and fetching executables from an unverified domain (with checksums hosted on the same site) can easily be used to distribute malware if the site or distribution is compromised.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start includes an explicit "curl -fsSL https://cli.inference.sh | sh" which fetches and executes remote install code (and pulls binaries from dist.inference.sh) and the skill depends on that CLI to run, so this is a clear remote-code execution dependency.