ai-product-photography
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the
Bashtool with a wildcard permission for theinfshCLI (infsh *). While intended for interacting with the vendor's image generation service, this broad permission allows the agent to execute any subcommand of the CLI, which increases the potential attack surface. - [EXTERNAL_DOWNLOADS]: The documentation suggests installing additional skills using
npx skills add inference-sh/skills. The use of the nameinference-sh(with 'ce') contradicts the declared author contextinferen-sh. Per the security guidelines, this mismatch between the author name and the source organization for external dependencies may indicate a typosquatting risk or an unverifiable remote source.
Audit Metadata