Skills
skills/1nfsh-s3/skills/video-prompting-guide/Gen Agent Trust Hub

video-prompting-guide

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill contains a shell command curl -fsSL https://cli.inference.sh | sh which downloads a script from a remote server and executes it directly through the shell. This pattern is dangerous as the script's content is not statically verified before execution and could be altered by a malicious actor or a compromised server.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx skills add inference-sh/skills@... to dynamically download and install external code packages at runtime. This introduces unverified dependencies into the environment.
  • [COMMAND_EXECUTION]: The skill requests the Bash tool with a wildcard permission for infsh *. While this limits the tool to a specific binary, it allows the agent to execute any sub-command or provide arbitrary arguments to that binary, including potentially destructive operations if the binary has such capabilities.
  • [REMOTE_CODE_EXECUTION]: The npx command is used to execute remote packages from the npm registry, which is a form of remote code execution that bypasses local code reviews.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 02:51 AM