og-image-design

The reviewed file is documentation and examples for a legitimate developer utility to generate OG/social images using the inference.sh ecosystem. I did not find direct malicious code or explicit backdoors in the provided content. However, the documentation endorses high-risk supply-chain practices (curl | sh installer and automatic binary execution), transitive installation of third-party skills (npx / remote apps), and remote processing of user-supplied HTML/prompts without explicit warnings about sensitive data. These patterns increase attack surface and potential for credential exposure or data leakage if distribution endpoints or third-party skills are compromised. Recommended mitigations: avoid piping remote scripts to shell without manual inspection and checksum/signature verification; prefer cryptographic signature verification of binaries; audit where infsh stores credentials and prefer short-lived, least-privilege tokens; sanitize inputs before sending to remote models; and review third-party skill code before installation. Overall: not overtly malicious but presents moderate supply-chain and data-exfiltration risk that warrants caution.