background-removal
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill includes instructions to execute
curl -fsSL https://cli.inference.sh | sh. This pattern downloads and executes a script directly from an untrusted domain without any verification, which is a high-risk security vulnerability that can lead to arbitrary code execution. - [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation points to the command
npx skills add inference-sh/skills@..., which downloads code from theinference-shGitHub organization. This source is not recognized as a trusted provider under the current security guidelines. - [COMMAND_EXECUTION] (LOW): The skill is granted permission to run the
infshcommand. While this is necessary for the skill's functionality, the underlying tool is installed via an insecure method, linking its safety to the initial unverified script execution.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata