image-upscaling

The skill documentation describes a legitimate image upscaling workflow relying on the infsh CLI and hosted inference services. However, it uses high-risk distribution and install patterns (curl | sh to fetch an installer and automatic binary downloads), and it encourages transitive installation of third-party skills via npx. These patterns create meaningful supply-chain and credential risks: a compromised install script, binary host, or transitive skill could execute arbitrary code or exfiltrate credentials/data. The documentation lacks details about how credentials are stored/used and how binary checksums are verified in the automatic install path. There is no direct evidence of backdoors or active malicious code in the fragment provided, but the operational practices recommended are high risk and disproportionate if a security-sensitive environment is assumed. Recommend avoiding pipe-to-shell installs, performing manual verification of checksums, reviewing any transitive skill repositories before installing, and minimizing credential scope when using infsh login.