talking-head-production

The skill's described functionality (orchestrating AI-avatar lipsync video production) is coherent with the included workflow. However, the presence of a direct curl-into-shell installer for a remote CLI (curl -fsSL https://cli.inference.sh | sh) represents a notable supply-chain risk pattern. While checksum verification is mentioned, the combination of remote installer, dynamic app IDs, and multi-step remote tooling creates nontrivial risk surfaces for tampering, version-bleed, or compromised binaries. In a real-world setting, this should be treated as SUSPICIOUS (with elevated security controls) rather than fully benign, and should be hardened by pinning installer sources, verifying signatures more robustly, and reducing reliance on such remote install flows.