web-search
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (CRITICAL): The skill's installation instructions require running
curl -fsSL https://cli.inference.sh | sh. This is a classic piped remote execution pattern where an unverified script from an untrusted domain is executed directly in the user's shell, allowing for complete system compromise. - Command Execution (HIGH): The skill definition includes
allowed-tools: Bash(infsh *), which grants the agent permission to run any subcommand of theinfshCLI. This allows the agent to execute any available app on the inference.sh platform, potentially bypassing the scope intended by the skill author. - Indirect Prompt Injection (LOW): The skill's primary purpose is web search and content extraction (via Tavily and Exa). This creates a surface for indirect prompt injection where malicious instructions embedded in web pages could be ingested and followed by the agent.
- Ingestion points:
tavily/extract,exa/extract, and search results. - Boundary markers: None present in the provided examples or instructions.
- Capability inventory: Full access to the
infshCLI toolset. - Sanitization: No evidence of sanitization or filtering of extracted web content before it is passed to the LLM.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata