image-to-video
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill contains the command
curl -fsSL https://cli.inference.sh | sh. This is a piped remote execution pattern that downloads and runs code from an untrusted source without any verification or integrity checks. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses
npx skills add inference-sh/skills@...to download and install additional skills from an external repository. This introduces a supply-chain risk as the content of these external skills is not verified. - [COMMAND_EXECUTION] (MEDIUM): The skill requests broad permissions via
allowed-tools: Bash(infsh *). This allows the agent to execute any sub-command and parameter for theinfshtool, which could be exploited if the tool itself has vulnerabilities or if the agent is manipulated into passing dangerous arguments.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata