Skills
skills/inference-sh-9/skills/product-hunt-launch/Gen Agent Trust Hub

product-hunt-launch

Fail

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill recommends installing the infsh CLI tool via a shell pipe: curl -fsSL https://cli.inference.sh | sh. This involves downloading and executing a script from a remote vendor-controlled domain.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the infsh command-line tool to interact with AI models and search engines as defined in the allowed-tools section.
  • [EXTERNAL_DOWNLOADS]: The skill suggests adding related skills using npx skills add, which fetches code from the inference-sh namespace.
  • [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection as it processes data from external web searches without visible sanitization.
  • Ingestion points: External search results from Tavily and Exa are used as input for subsequent tasks in the SKILL.md file.
  • Boundary markers: There are no delimiters or instructions provided to the agent to treat search results as untrusted data or to ignore embedded instructions.
  • Capability inventory: The skill has the ability to execute various tools via the infsh command, including search assistants and image generators.
  • Sanitization: The skill does not implement validation, escaping, or filtering for the data retrieved from external sources before it is processed by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 25, 2026, 05:36 PM