text-to-speech

This skill README documents a legitimate-seeming Text-to-Speech integration that relies on a third-party CLI (infsh) and remote apps hosted by inference.sh. I found no direct malicious code in the README itself, no hardcoded secrets, and no obfuscated payloads. However, there are multiple supply-chain and data-exposure risks: the recommended install uses a pipe-to-shell pattern (curl | sh) to fetch and run a binary from a remote host; the workflow authenticates via infsh login and will send credentials/tokens to remote backends; and the README explicitly recommends transitive skill installs via npx which expand the trust boundary. These patterns are common for cloud CLI tooling but are high-risk in the supply-chain threat model. If you plan to use this skill, avoid pipe-to-shell installs (download and verify checksums manually), review the CLI and its source code/binary provenance, minimize credential scopes, and be cautious when installing additional third-party skills.