image-to-video

This skill is a documentation guide for using a third-party CLI (infsh) to convert still images into animated videos via hosted model backends. The functionality itself is coherent with its stated purpose. However, there are notable supply-chain and privacy risks: the Quick Start uses a pipe-to-shell installer (curl | sh) which allows arbitrary remote code execution, the workflow requires logging in to a third-party service (credential forwarding risk), and the README encourages transitive installation of additional skills via npx which expands the trust chain. These patterns do not prove active malicious code in the documentation, but they are high-risk supply-chain practices that could enable credential harvesting or remote code execution if the referenced hosts or packages are compromised. Recommended mitigations: avoid pipe-to-shell installs (download and verify manually), audit the infsh binary and its checksum from a separate channel, review privacy/auth handling for infsh login, and avoid blind npx installs of third-party skills without review.