ai-rag-pipeline
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill instructs the user to execute
curl -fsSL https://cli.inference.sh | sh. This pattern downloads and executes a script directly from a non-trusted domain in a single step, providing no opportunity for the user to verify the code before execution. This matches the highest severity criteria for unverifiable remote code execution. - COMMAND_EXECUTION (HIGH): The skill requests
allowed-tools: Bash(infsh *), which grants the agent the ability to execute any command via theinfshCLI. This provides a wide attack surface for arbitrary command execution within the context of that tool's capabilities. - PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted web content enters the agent context through variables like
$SEARCH_RESULT,$TAVILY,$EXA, and$CONTENTin the provided bash examples. - Boundary markers: No delimiters or warnings (e.g., 'ignore embedded instructions') are used when interpolating external data into LLM prompts.
- Capability inventory: The
infshtool can perform network requests, file operations, and execute various LLM 'apps' via Bash. - Sanitization: There is no evidence of escaping, validation, or filtering of the content retrieved from external URLs before it is passed to the LLM.
- CREDENTIALS_UNSAFE (MEDIUM): The quick start guide encourages running
infsh login. While necessary for the tool's function, it involves the interactive handling and storage of sensitive authentication tokens within the environment where the agent operates.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata