landing-page-design

This skill's content and examples are plausible and largely consistent with its stated purpose: landing page design plus convenient AI-powered image and research generation. However, it includes several supply-chain and data-flow patterns that increase security risk: an explicit curl|sh installer example (download-and-execute), reliance on third-party inference.sh/dist.inference.sh infrastructure for runtime processing, suggestions to install transitive skills (npx skills add), and broad allowed-tools (Bash(infsh *)) that permit shell-level actions through the infsh CLI. These patterns are legitimate in many developer tools but materially expand the trust boundary and present medium-to-high supply-chain risk if the distribution or runtime endpoints are compromised or if users paste sensitive data into prompts. Recommended mitigations: avoid copy-paste curl|sh examples, show pinned releases or GPG signatures for installers, warn users not to include secrets in prompts, limit allowed-tools to the minimal required commands, and caution about transitive skill installs and vetting external apps.