pitch-deck-visuals
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to install the vendor's command-line interface by piping a script from
https://cli.inference.shdirectly into a shell environment. - [EXTERNAL_DOWNLOADS]: The installation script downloads pre-compiled binaries from
dist.inference.shas part of its automated setup process. - [COMMAND_EXECUTION]: The skill uses the
infshtool to execute remote applications for HTML-to-image conversion and data processing. - [REMOTE_CODE_EXECUTION]: The skill contains embedded Python code for generating charts using the
matplotliblibrary, which is executed at runtime via theinfsh/python-executorenvironment. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing external inputs for visual rendering. Ingestion Point: The
--inputfield inSKILL.mdpasses data to the CLI. Capability Inventory: Theinfshtool executes remote logic and generates local files. Sanitization and Boundary Markers: The skill lacks explicit sanitization or delimiters to prevent untrusted data from potentially influencing tool behavior.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata