data-visualization
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
infshCLI tool via Bash to manage authentication (infsh login) and execute remote applications (infsh app run). This is the intended delivery mechanism for the vendor's services. - [REMOTE_CODE_EXECUTION]: The skill provides recipes that send Python code and HTML snippets to remote executors (
infsh/python-executorandinfsh/html-to-image). While the provided examples use static data, this pattern involves executing code in a remote environment. - [INDIRECT_PROMPT_INJECTION]: There is a surface for indirect injection if a user adapts the provided templates to visualize untrusted external data. If such data is interpolated directly into the Python or HTML strings without sanitization, it could lead to unintended code execution within the executor context.
- [EXTERNAL_DOWNLOADS]: The documentation suggests installing additional skills via
npx skills add. These references point to the vendor's own namespace (inference-sh/skills), which is consistent with the skill's authorship.
Audit Metadata