twitter-automation
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation provides an installation command that pipes a remote script directly into the shell (
curl -fsSL https://cli.inference.sh | sh). This pattern bypasses standard package management and poses a risk if the remote source or transmission is compromised. - [EXTERNAL_DOWNLOADS]: The installation script fetches pre-compiled binaries from
dist.inference.sh. While the skill author provides SHA-256 checksums for manual verification, the automated installation process introduces external binary dependencies from vendor-controlled infrastructure. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data.
- Ingestion points: User-provided content (e.g., tweet text, DM content) is passed directly into the
--inputargument of variousinfshsub-commands. - Boundary markers: There are no boundary markers or delimiters shown in the examples to isolate user input from the command structure or to instruct the agent to ignore embedded instructions.
- Capability inventory: The
infshtool has extensive capabilities, including network access to the Twitter/X API and the ability to read local files (e.g.,infsh app run ... --input input.json). - Sanitization: The skill lacks visible sanitization, escaping, or validation logic for data interpolated into the automation commands.
- [COMMAND_EXECUTION]: The skill utilizes the
Bash(infsh *)capability. This allows the agent to execute any sub-command within the tool's ecosystem, enabling complex interactions with external APIs and potentially the local file system through JSON input files.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata