Skills
skills/inference-sh/skills/agent-tools/Gen Agent Trust Hub

agent-tools

Fail

Audited by Gen Agent Trust Hub on Apr 24, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the user and agent to install the inference.sh CLI by piping a remote script directly to the shell (curl -fsSL https://cli.inference.sh | sh). This is a highly insecure practice as it executes unverified code from an external source. A similar pattern is found in the manual installation instructions which dynamically fetch and execute a binary URL from a manifest file.
  • [DATA_EXFILTRATION]: The infsh CLI tool includes an 'automatic file upload' feature. When a local file path is provided in the JSON input for any AI app command (e.g., infsh app run ... --input '{"image": "/path/to/file"}'), the CLI tool automatically reads that local file and uploads it to the vendor's cloud servers. This behavior creates a significant exfiltration vector; an attacker could use indirect prompt injection to trick the agent into uploading sensitive files like ~/.ssh/id_rsa, .env files, or cloud credentials.
  • [COMMAND_EXECUTION]: The skill is configured with broad shell execution permissions for the infsh command via the Bash(infsh *) tool definition. This allows the agent to execute any subcommand of the CLI, which includes deploying new apps, managing authentication, and interacting with the local filesystem.
  • [EXTERNAL_DOWNLOADS]: The installation process involves downloading binaries and manifest files from dist.inference.sh. These downloads are not from a well-known or trusted registry, and while the skill mentions checksum verification, the initial script that performs the verification is itself unverified.
  • [PROMPT_INJECTION]: The skill acts as a gateway to over 250 external AI apps and models (including Claude, Gemini, and search engines).
  • Ingestion points: External data enters the agent context through the output of commands like infsh app run, infsh task get, and infsh app list (SKILL.md, references/running-apps.md).
  • Boundary markers: The skill does not define or use any delimiters or protective 'ignore embedded instructions' warnings when presenting external app outputs to the agent.
  • Capability inventory: The agent has the ability to execute shell commands (infsh), read and upload local files (infsh app run), and manage cloud deployments (infsh app deploy).
  • Sanitization: There is no evidence of escaping, validation, or filtering of the content returned by the AI apps before it is processed by the primary agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 24, 2026, 04:48 AM