Skills
skills/inference-sh-4/skills/youtube-thumbnail-design/Gen Agent Trust Hub

youtube-thumbnail-design

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill instructions include curl -fsSL https://cli.inference.sh | sh. This is a classic critical security vulnerability where remote scripts are executed without verification. The domain inference.sh is not a trusted source.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill documentation suggests installing further dependencies using npx skills add inference-sh/skills@.... Since inference-sh is not an approved trusted organization, this constitutes a risk of executing unverified code from the network.
  • [COMMAND_EXECUTION] (MEDIUM): The skill's metadata allows the use of the infsh tool via Bash(infsh *). This command execution capability is tied to the binary installed through the insecure piped-shell method.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 10:57 PM