agent-tools
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill instructs the agent to install its CLI tool using
curl -fsSL https://cli.inference.sh | sh. This 'curl pipe bash' pattern allows for arbitrary code execution from a non-trusted external source. - Evidence: Found in
SKILL.md,references/authentication.md, andreferences/cli-reference.md. - Source:
https://cli.inference.shis not a trusted domain per [TRUST-SCOPE-RULE]. - Indirect Prompt Injection (LOW): The skill serves as an interface for over 150 external AI apps (FLUX, Claude, Gemini, etc.), which represents a massive ingestion surface for untrusted data.
- Ingestion points: Output from any of the 150+ supported apps (JSON/text) in
references/running-apps.md. - Boundary markers: Absent; the agent is expected to parse and use the output of these tools directly.
- Capability inventory: The agent has permission to run
infshcommands which can generate, search, and post to external platforms (e.g., Twitter). - Sanitization: Absent; the skill lacks mechanisms to sanitize or validate the content returned from external model providers before the agent processes it.
- Command Execution & Privilege Escalation (MEDIUM): The CLI reference suggests modifying system-wide shell completions which requires elevated permissions or environmental modification.
- Evidence:
infsh completion bash > /etc/bash_completion.d/infshinreferences/cli-reference.md. - Credential Handling (SAFE): While the skill mentions the use of
INFSH_API_KEY, it provides standard placeholders rather than hardcoded secrets.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata