email-design

This skill is primarily instructional and not overtly malicious: it provides email design guidance and demonstrates using a third-party CLI (infsh) to generate visuals. The main security concerns are supply-chain and privacy risks: (1) the use of curl | sh to install a binary (download-and-execute) is a high-risk pattern even if checksums are provided, (2) installing and running a third-party CLI means credentials entered via 'infsh login' and content sent to inference.sh will be transmitted to external services, and (3) suggested transitive installation of other skills (npx skills add) expands the trust chain. There are no hardcoded secrets or obfuscated payloads in the provided text, and no direct evidence of malware, but the download-execute and transitive install patterns raise the securityRisk to a moderate-high level for supply-chain exposure. Users should avoid pipe-to-shell installs, verify checksums independently, review the infsh CLI source before installing, and limit what sensitive data is sent to remote inference apps. Treat this skill as useful but requiring caution when following its installation and runtime instructions.