product-hunt-launch
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill instructs the user to execute 'curl -fsSL https://cli.inference.sh | sh'. This piped-to-shell pattern executes remote code without integrity verification or source authentication, posing a severe risk.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and installs a CLI tool and additional packages from 'inference.sh', which is not a verified trusted source.
- [COMMAND_EXECUTION] (HIGH): The tool 'Bash(infsh *)' allows for the execution of arbitrary commands through an unverified CLI interface.
- [PROMPT_INJECTION] (LOW): Indirect prompt injection surface identified. 1. Ingestion points: Data entering via 'tavily/search-assistant' and 'exa/search'. 2. Boundary markers: None. 3. Capability inventory: Command execution via 'infsh' and 'Bash'. 4. Sanitization: No sanitization of external search results before use in subsequent commands.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata