email-design
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes a command to install the vendor's CLI tool by piping a remote script to the shell:
curl -fsSL https://cli.inference.sh | sh. While this originates from the vendor's own infrastructure, executing remote scripts directly in a shell is a sensitive pattern. - [EXTERNAL_DOWNLOADS]: The skill references binary downloads from
dist.inference.sh. The documentation indicates that the installation script performs OS detection and SHA-256 verification of the downloaded files. - [COMMAND_EXECUTION]: The skill utilizes the
infshcommand via a bash tool for image generation and login actions. It also utilizesnpxto add related skills from theinference-shrepository. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8).
- Ingestion points: Data enters the agent context through the
htmlfield in theinfsh app runcommands. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands when the agent populates the HTML templates with user-provided text.
- Capability inventory: The skill possesses the capability to execute subprocesses via the
infshCLI and interact with external AI services. - Sanitization: The provided examples do not demonstrate sanitization or escaping of content before it is processed by the HTML-to-image engine.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata