agent-tools
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (CRITICAL): The installation instructions in
SKILL.mdandreferences/authentication.mdrecommend runningcurl -fsSL https://cli.inference.sh | sh. This is a classic piped-to-shell RCE pattern from a domain not listed in the trusted sources, allowing unverified code execution in the user's environment.\n- Command Execution (HIGH): The skill requests broadBash(infsh *)permissions. This tool capability allows the agent to execute any sub-command of theinfshCLI, which includes authenticated actions such asinfsh login, posting to social media (x/post-tweet), and managing cloud tasks.\n- Indirect Prompt Injection (LOW): The skill presents a significant surface for indirect prompt injection by processing untrusted user prompts through over 150 third-party AI applications. \n - Ingestion points: Data enters via the
--inputflag ininfsh app runandinfsh app testcommands.\n - Boundary markers: None identified. No delimiters or instructions are provided to the agent to segregate user data from system instructions.\n
- Capability inventory: Full Bash execution for the
infshbinary, network access to numerous AI providers, and social media integration (Twitter/X).\n - Sanitization: None documented. Content is passed directly as JSON input to remote models.\n- Privilege Escalation (MEDIUM): In
references/cli-reference.md, shell completion commands suggest writing directly to/etc/bash_completion.d/, which typically requires elevated (root) privileges.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata