product-hunt-launch

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URLs point to an unfamiliar third‑party domain that provides a remote install script (curl https://cli.inference.sh | sh) which downloads binaries from the same domain and publishes checksums on that same host—an approach that is convenient but risky (remote script execution and same‑site checksums allow supply‑chain compromise and lack independent code-signing verification).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs the agent to run infsh apps like "tavily/search-assistant" and "exa/search" (see Quick Start and Research for Preparation) to fetch and analyze public Product Hunt/search results and community sentiment, i.e., untrusted third‑party web/user-generated content that the agent is expected to read and that can materially influence launch decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Quick Start explicitly runs a remote install command that fetches and executes code via "curl -fsSL https://cli.inference.sh | sh" (and the infsh CLI then invokes remote apps hosted under inference.sh/dist), so https://cli.inference.sh is a runtime external dependency that executes remote code.