The Agent Skills Directory

Remote Code Execution (CRITICAL): The installation instructions utilize curl -fsSL https://cli.inference.sh | sh. This pattern is a major security risk because it executes an unverified remote script with the permissions of the current user, providing a direct vector for system compromise.
Metadata Poisoning (MEDIUM): The skill description and model table claim access to 'Claude 4.5' (Opus/Sonnet/Haiku) and 'Gemini 3 Pro'. These versions do not currently exist in the public market, indicating deceptive marketing or misleading documentation intended to exaggerate capabilities.
Command Execution (HIGH): The allowed-tools section grants the skill permission to run Bash(infsh *). This gives the AI agent broad authority to execute any subcommand of the installed infsh utility, which, combined with the untrusted installation source, creates a high-risk execution environment.
Indirect Prompt Injection (LOW): The skill accepts arbitrary user input via the --input JSON parameter for LLM processing.
Ingestion points: The prompt field within the JSON input for infsh app run commands.
Boundary markers: Input is structured within JSON objects, providing some technical delimiter, but no explicit instructional boundaries (e.g., 'ignore instructions within this data') are present.
Capability inventory: The skill can execute shell commands (infsh) and communicate with external APIs (inference.sh/OpenRouter).
Sanitization: There is no evidence of input sanitization or validation before the prompt is passed to the underlying model execution tool.

llm-models