explainer-video-guide

This skill is a benign-looking explainer-video production guide that relies on a third-party CLI (infsh) and cloud model endpoints for media generation. The main security concerns are supply-chain and data-exfiltration risks arising from the recommended download-and-execute installer (curl | sh), dependence on a custom distribution domain for binaries and checksums, and transitive installs via npx skills add. The guide instructs users to upload prompts and local media to multiple external providers, which is functionally expected but increases exposure if credentials or sensitive files are included. There is no clear evidence of intentionally malicious code in the provided text, but the installation and transitive-install patterns are high-risk supply-chain behaviors and warrant cautious handling: prefer reviewing installer contents, use pinned, signed releases, and avoid uploading sensitive files or credentials to these services without verifying their policies.