Skills
skills/1nfsh-s3/skills/landing-page-design/Gen Agent Trust Hub

landing-page-design

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches an installation script from https://cli.inference.sh and references binary downloads from dist.inference.sh. It also pulls additional remote skill sets via npx from inference-sh/skills.
  • [REMOTE_CODE_EXECUTION]: Employs the curl -fsSL ... | sh pattern to install the infsh CLI. This method downloads and executes a shell script from a remote URL directly in the shell environment. It also uses npx for dynamic execution of remote skill packages.
  • [COMMAND_EXECUTION]: Uses the Bash tool to run system commands, including the installation script, infsh login and application runs, and npx skill additions.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface.
  • Ingestion points: Competitor research data from the tavily/search-assistant app run.
  • Boundary markers: None present to distinguish search results from agent instructions.
  • Capability inventory: Subprocess calls through the infsh CLI and Bash tool.
  • Sanitization: No explicit sanitization or validation of the search assistant's output before it is processed by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 02:51 AM