Skills
skills/inf-sh/skills/ai-avatar-video/Gen Agent Trust Hub

ai-avatar-video

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill uses the pattern curl -fsSL https://cli.inference.sh | sh to install the Inference.sh CLI.
  • Evidence: This command is found in the 'Quick Start' section of SKILL.md.
  • Risk: Piped shell execution is a critical vulnerability because the content of the remote script can change at any time, leading to arbitrary code execution without user review or integrity checks.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill installs an unverified third-party binary (infsh) from a non-whitelisted domain.
  • Evidence: The installation process and subsequent use of infsh throughout the documentation.
  • Risk: Reliance on external, unauthenticated binaries from untrusted sources poses a significant supply chain risk.
  • [COMMAND_EXECUTION] (MEDIUM): The skill heavily utilizes the Bash tool to interact with the OS and the installed CLI tool.
  • Evidence: allowed-tools: Bash(infsh *) in the YAML frontmatter.
  • Risk: While necessary for the skill's function, the combination of an untrusted installer and broad bash permissions increases the attack surface.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 01:56 AM