agent-tools

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs all point to a single third‑party domain (inference.sh and related subdomains) that hosts a downloadable CLI and binaries — including a curl | sh installer and direct binary downloads referenced in a manifest — which is a high‑risk distribution pattern even though checksums and Sigstore verification are mentioned; piping an unknown shell script and fetching executables from a non‑well‑known domain can deliver malware if the host or files are compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The SKILL.md explicitly lists and demonstrates running web-search apps (e.g., "infsh app run tavily/search-assistant" in Quick Examples and "Web search: Tavily Search, Exa Search" in What's Available), which fetch and return open/public web content that the agent would read and act on, allowing untrusted third-party content to influence subsequent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running "curl -fsSL https://cli.inference.sh | sh" (and downloads binaries from https://dist.inference.sh), which fetches and executes remote installer code at runtime and is a required dependency to use the CLI.