pitch-deck-visuals

This skill is functionally plausible for generating pitch-deck visuals, but it contains multiple supply-chain and data-exposure risks. The most significant issues are the curl|sh quick-start installer and the reliance on remote inference/executor services that accept arbitrary HTML, code, and image prompts. Transitive installation of third-party skills and the broad allowed-tools (infsh *) increase attack surface: malicious or compromised upstream components could execute code, harvest credentials, or exfiltrate slide content. Recommended mitigations: avoid pipe-to-shell installs (provide pinned releases and manual verification steps), clearly document credential handling and retention for infsh login, warn users about sending proprietary data to remote services, and minimize allowed-tools or require explicit user consent before transitive installs or remote code execution.