image-to-video
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The 'Quick Start' section includes the command
curl -fsSL https://cli.inference.sh | sh. This 'pipe to shell' pattern downloads and immediately executes code from a remote server without verification or integrity checks. - Evidence: Found in the
Quick Startsection ofSKILL.md. - EXTERNAL_DOWNLOADS (MEDIUM): The 'Related Skills' section suggests adding external dependencies via
npx skills add. This utilizes the Node.js package runner to fetch and execute packages from the npm registry that are not from the defined trusted organizations list. - Evidence:
npx skills add inference-sh/skills@...entries at the end ofSKILL.md. - COMMAND_EXECUTION (LOW): The skill is heavily reliant on executing shell commands via the
infshCLI. While the skill attempts to restrict this viaallowed-tools: Bash(infsh *), the presence of the installation instruction in the markdown body could lead an agent to attempt the CRITICAL RCE pattern mentioned above. - DATA_EXPOSURE (LOW): The tool requires local file paths for images (e.g.,
path/to/lake-image.png). While legitimate for its purpose, it establishes a pattern of reading from the local filesystem to send data to an external API (inference.sh).
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata