product-changelog
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends a high-risk installation pattern where a remote shell script from 'https://cli.inference.sh' is piped directly into 'sh'. This method bypasses standard security reviews and allows the remote server to execute arbitrary commands on the user's system.
- [COMMAND_EXECUTION]: The skill relies on the 'Bash(infsh *)' tool to execute various CLI commands for logging in and running cloud-based applications. This capability allows the agent to interact with external binaries and services.
- [EXTERNAL_DOWNLOADS]: The skill references external binaries and configurations from 'inference.sh' subdomains and suggests using 'npx' to install additional skill packages from the 'inference-sh' GitHub organization.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8). 1. Ingestion points: User-provided descriptions and feature details in SKILL.md are passed as arguments to 'infsh' CLI commands. 2. Boundary markers: The command examples lack delimiters or protective instructions to prevent the model from following instructions embedded in the user data. 3. Capability inventory: The 'Bash' tool can execute various inference 'apps' that process the potentially malicious input. 4. Sanitization: No evidence of input validation or escaping is present in the skill's command templates.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata