seo-content-brief

The skill is primarily documentation and templates for creating SEO briefs but prescribes installing and using a third-party CLI (inference.sh) via an unpinned curl|sh installer and recommends installing additional skills via npx. These patterns create supply-chain and transitive-trust risks: arbitrary remote code execution at install time, reliance on project-controlled distribution domains, routing of user queries and scraped content through third-party services, and transitive installation of additional skills. I did not find explicit malicious code, obfuscation, or credential harvesting in the provided text, but the download-execute instruction and transitive installs are high-risk practices. Recommend: avoid running curl|sh without manual verification, prefer installing from trusted registries or pinned artifacts, require manual checksum verification, and review any transitive skill packages before installation.