video-ad-specs
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill documentation includes the command
curl -fsSL https://cli.inference.sh | sh. This pattern executes an unverified script from a remote server with full shell permissions, which is an extremely high-risk operation that could lead to immediate system infection or data theft. - External Downloads (HIGH): The skill relies on external dependencies from the untrusted domain
cli.inference.sh. Since this source is not on the trusted organizations list, the code cannot be verified for safety or integrity. - Command Execution (MEDIUM): The skill uses
npxto fetch and execute packages from an untrusted repository (inference-sh/skills). This introduces a significant supply chain risk where a compromise of the remote repository would lead to malicious code execution on the user's machine. - Command Execution (LOW): The skill requests permission to use the
Bashtool to interact with theinfshCLI. While the CLI's purpose is for video generation, granting an AI agent access to a CLI installed from an untrusted source increases the potential attack surface.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata