Skills
skills/inf-sh/skills/youtube-thumbnail-design/Gen Agent Trust Hub

youtube-thumbnail-design

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): Piped remote script execution from an untrusted source. The instruction 'curl -fsSL https://cli.inference.sh | sh' allows for arbitrary code execution from a domain not present on the trusted list, potentially leading to full system compromise.
  • EXTERNAL_DOWNLOADS (MEDIUM): Unverifiable dependency installation. The skill uses 'npx' to download and install additional skills from 'inference-sh', which is not an established trusted provider.
  • PROMPT_INJECTION (LOW): Indirect prompt injection vulnerability. The skill processes user-provided prompts that are interpolated into shell commands. 1. Ingestion points: User-controlled image prompts in 'infsh' commands. 2. Boundary markers: Absent. 3. Capability inventory: Command execution via 'infsh' and 'Bash' tool. 4. Sanitization: Absent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 01:56 AM