Skills
skills/inference-sh/skills/video-prompting-guide/Gen Agent Trust Hub

video-prompting-guide

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (HIGH): The skill contains a command curl -fsSL https://cli.inference.sh | sh that downloads a script from an untrusted external URL and pipes it directly into the shell. This is a classic RCE vector that allows the source to execute arbitrary code with the user's permissions.
  • External Downloads (HIGH): The documentation suggests installing several additional skills using npx skills add inference-sh/skills@.... Because 'inference-sh' is not a trusted organization, these represent unverifiable and potentially malicious code dependencies.
  • Command Execution (MEDIUM): The skill's frontmatter allows the use of Bash(infsh *). While restricted to the infsh command, the security of this tool is compromised because it is installed through the insecure method mentioned above.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 03:24 PM