ai-voice-cloning
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill explicitly commands the agent to run
curl -fsSL https://cli.inference.sh | sh. This is a highly dangerous pattern that executes unverified remote code with local user privileges. - [EXTERNAL_DOWNLOADS] (HIGH): The skill uses
npx skills addto install additional external components from theinference-shrepository. This source is not on the trusted organizations list, leading to unverified code execution. - [COMMAND_EXECUTION] (MEDIUM): The skill defines
allowed-tools: Bash(infsh *), granting broad execution rights for any subcommand underinfsh. While central to the skill's function, this increases the attack surface if the binary itself is malicious or exploitable. - [PROMPT_INJECTION] (LOW): The skill has a surface for indirect prompt injection.
- Ingestion points: User-provided text is interpolated into the
--inputJSON payload inSKILL.md(e.g., in thekokoro-ttsexamples). - Boundary markers: The text is wrapped in JSON quotes, but no explicit instructions are provided to the model to ignore control sequences or embedded commands within the user text.
- Capability inventory: The skill has access to shell execution via
Bash(infsh *)and network access through theinfshtool. - Sanitization: There is no evidence of sanitization or escaping of the user-provided input before it is passed to the CLI tool.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata