video-ad-specs

This skill/instruction document is primarily a benign, practical guide for creating platform-specific video ads, but it includes several high-risk supply-chain and execution patterns. The notable risks are: (1) a pipe-to-shell installer (curl | sh) that downloads and executes remote code; (2) reliance on a third-party distribution domain (dist.inference.sh) for binaries; (3) recommendations to install transitive skills via npx, increasing the trust chain; and (4) broad allowed-tools that effectively permit shell execution. There is no direct evidence of embedded malware or credential harvesting in the text itself, but the distribution and installation patterns materially increase the chance of supply-chain compromise and data exfiltration by downstream components. I assess this as a medium-high security risk primarily because of unsafe install and transitive-install instructions rather than explicit malicious code.