ai-podcast-creation
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill's documentation and execution flow rely on the command
curl -fsSL https://cli.inference.sh | sh. This is a classic 'curl pipe to sh' pattern that executes unverified remote scripts with the user's current shell privileges. The domaininference.shis not a trusted source according to the security policy. - EXTERNAL_DOWNLOADS (HIGH): The skill prompts the download of external binaries and scripts from
https://cli.inference.shand encourages adding further untrusted skills vianpx skills add inference-sh/skills@.... - COMMAND_EXECUTION (MEDIUM): The skill requests broad permission for the
Bash(infsh *)tool. This allows the agent to execute any sub-command ofinfsh, which can interact with the local filesystem (writing.jsonfiles) and the network. - PROMPT_INJECTION (LOW): (Indirect Prompt Injection) The skill contains a 'NotebookLM-Style' workflow that ingests untrusted document content (
<your-document-content>) and interpolates it directly into a prompt for Claude-3.5-Sonnet. - Ingestion points: SKILL.md (NotebookLM-Style Content section).
- Boundary markers: Absent. The document content is placed directly after a colon in the prompt string.
- Capability inventory: Subprocess calls (via
infsh app run), file-writing (> script.json), and network operations. - Sanitization: None detected. This allows an attacker to embed instructions within a document that could manipulate the podcast script generation or subsequent tool calls.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata