ai-rag-pipeline
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS / REMOTE_CODE_EXECUTION (CRITICAL): The skill documentation and examples explicitly use the pattern
curl -fsSL https://cli.inference.sh | sh. This executes a remote script with shell privileges without verification. The sourceinference.shis not a designated trusted source. - COMMAND_EXECUTION (HIGH): The skill requests
Bash(infsh *)capability. This allows the agent to execute any sub-command of theinfshtool, which includes running arbitrary applications, logging in, and potentially modifying local environment configurations. - PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface. The skill is designed to fetch content from the live web and URLs and then feed that content directly into LLM prompts.
- Ingestion points: Data enters from
tavily/search-assistant,exa/search, andtavily/extracttools. - Boundary markers: Absent. The skill uses direct shell variable interpolation (e.g.,
$SEARCH_RESULT) inside JSON strings without delimiters or instructions for the model to ignore embedded commands. - Capability inventory: The
infshtool can execute remote apps and interact with external APIs. - Sanitization: None observed. The external content is treated as trusted context.
- DATA_EXFILTRATION (LOW): The skill sends research data and extracted URL content to the
inference.shplatform and third-party LLM providers (OpenRouter). While this is the intended function, it involves moving potentially sensitive research data to external services.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata