dialogue-audio

This skill documentation is functionally benign for its stated purpose (creating dialogue audio using a remote TTS service), but it contains multiple supply-chain risk patterns that make it potentially dangerous if users blindly follow the install/run instructions. The highest concerns are: (1) the curl | sh installer (download-and-execute) which is a high-risk supply-chain vector, (2) reliance on external binaries hosted on dist.inference.sh and (3) transitive installs (npx skills add) that expand the trust boundary. The use of a CLI that stores/forwards authentication tokens is expected for hosted TTS, but it also means credentials and prompt data are handled by a remote provider. Recommend: do not run the curl | sh installer without verifying checksums, review the infsh CLI source or package distribution, minimize transitive installs, and treat any tokens stored by the CLI as sensitive. Overall this is not demonstrably malicious code, but the supply-chain patterns warrant caution and moderate security risk controls.