customer-persona
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill requires the user to run
curl -fsSL https://cli.inference.sh | shto install its primary tool. This pattern is dangerous because it downloads and immediately executes code from a remote server without prior inspection. - [COMMAND_EXECUTION]: The skill is granted permission to use the
Bashtool with the command patterninfsh *. This allows the agent to execute any sub-command provided by the downloadedinfshbinary. - [EXTERNAL_DOWNLOADS]: The documentation indicates that the installation script further downloads binary files from
dist.inference.sh, which is a domain controlled by the author but not recognized as a trusted or well-known service provider. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its data ingestion pipeline.
- Ingestion points: Untrusted data enters the context via
tavily/search-assistantandexa/searchtools (referenced inSKILL.md) when researching market trends. - Boundary markers: There are no visible delimiters or system instructions to ignore potential malicious commands embedded within the retrieved search results.
- Capability inventory: The skill utilizes the
Bashtool to runinfsh, which can interact with various external APIs and potentially perform sensitive operations. - Sanitization: There is no evidence of sanitization, filtering, or validation of the external content before it is processed by the LLM to generate customer personas.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata