Skills
skills/inf-sh/skills/ai-music-generation/Gen Agent Trust Hub

ai-music-generation

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation includes the command curl -fsSL https://cli.inference.sh | sh. This is a piped remote execution pattern from an untrusted source (inference.sh), which grants the ability to execute arbitrary code on the user's system without prior verification.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill references multiple external dependencies from the inference-sh organization (e.g., inference-sh/skills@inference-sh) via npx. This organization is not included in the Trusted External Sources list, making these dependencies unverifiable and potentially malicious.
  • [COMMAND_EXECUTION] (MEDIUM): The skill defines Bash(infsh *) in its allowed-tools, enabling the agent to execute any subcommand of the infsh binary. Since the binary itself is installed via an untrusted remote script, this creates a significant attack surface for local system compromise.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 02:02 AM