product-hunt-launch
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the installation of the vendor's CLI tool by piping a script from 'https://cli.inference.sh' directly to the shell. This follows the author's standard installation procedure.
- [EXTERNAL_DOWNLOADS]: Binary components and verification checksums are downloaded from 'dist.inference.sh' during the setup process.
- [COMMAND_EXECUTION]: The skill utilizes the 'infsh' tool via the Bash environment to execute specialized applications for image generation and research. It also uses 'npx' to manage associated skills.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8).
- Ingestion points: Data is ingested from external search tools 'tavily/search-assistant' and 'exa/search' within SKILL.md.
- Boundary markers: No explicit delimiters or instructions to disregard embedded commands are present in the processing flow.
- Capability inventory: The agent has access to shell execution via 'Bash(infsh *)'.
- Sanitization: There is no evidence of filtering or sanitization of the retrieved search content before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata