Skills
skills/1nfsh-s3/skills/youtube-thumbnail-design/Gen Agent Trust Hub

youtube-thumbnail-design

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (CRITICAL): The skill contains a shell command that pipes a remote script directly into the interpreter: curl -fsSL https://cli.inference.sh | sh. This execution method is highly dangerous because the source script can be modified by the remote host to include malicious payloads without any local verification or review. Evidence found in SKILL.md.
  • External Downloads (MEDIUM): The skill uses npx skills add to fetch and install additional functionality from inference-sh/skills. These remote resources are not from whitelisted trusted organizations and introduce unverified dependencies into the environment.
  • Command Execution (LOW): The skill configuration defines allowed-tools: Bash(infsh *), which provides the agent with the authority to execute any subcommand for the infsh utility, expanding the attack surface if the utility itself has vulnerabilities.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 19, 2026, 08:21 PM