product-hunt-launch
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the installation of a CLI tool via a shell script download:
curl -fsSL https://cli.inference.sh | sh. The script originates from the domain associated with the skill author. - [REMOTE_CODE_EXECUTION]: Uses
npxto download and execute additional logic from the vendor's repository (inference-sh/skills). - [COMMAND_EXECUTION]: Utilizes the
infshtool to execute external sub-commands for image generation (falai/flux-dev-lora) and web searching (tavily/search-assistant,exa/search). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external web searches to research competitive launches.
- Ingestion points: Web search results retrieved via the
tavily/search-assistantandexa/searchapplications. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the search integration examples.
- Capability inventory: Access to shell execution via the
infshCLI. - Sanitization: No sanitization or validation mechanisms are described for the processing of external search data.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata