▥AGENT LAB: SKILLS — FEB 26 NYCAGENT LAB: SKILLS

skills/inference-sh-4/skills/explainer-video-guide/Snyk

explainer-video-guide

Fail

Audited by Snyk on Feb 19, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 1.00). The domains (inference.sh and cli.inference.sh) host a remote shell installer (curl ... | sh) from a short/unverified .sh domain — piping an unreviewed script into sh is a high-risk pattern that can deliver arbitrary malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's Quick Start directs users to run curl -fsSL https://cli.inference.sh | sh which downloads and immediately executes remote code (installing the infsh CLI) that the skill then relies on to run prompt-generating apps, so this URL is a risky runtime dependency.

Audit Metadata

Risk Level

CRITICAL

Analyzed

Feb 19, 2026, 02:39 AM