Skills
AGENT LAB: SKILLS
skills/inference-sh-3/skills/youtube-thumbnail-design/Gen Agent Trust Hub

youtube-thumbnail-design

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (CRITICAL): The skill uses the highly dangerous pattern curl -fsSL https://cli.inference.sh | sh to install the infsh CLI. This executes unverified code directly from a remote server without any integrity checks or source verification.
  • External Downloads (MEDIUM): The skill utilizes npx skills add to fetch and integrate additional skills from the inference-sh repository. As this source is not on the trusted organizations list, the code cannot be verified as safe.
  • Command Execution (MEDIUM): The skill requires permissions to execute infsh via the Bash tool. Since infsh is installed via a remote script of unknown integrity, this creates a persistent risk where the tool could perform malicious actions during subsequent uses.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 19, 2026, 03:41 AM