Skills
skills/inferencesh/agent-skills/app-store-screenshots/Gen Agent Trust Hub

app-store-screenshots

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): Untrusted remote script execution via shell pipe.
  • Evidence: The skill contains the command curl -fsSL https://cli.inference.sh | sh in the 'Quick Start' section.
  • Risk: This pattern downloads a script from a non-whitelisted domain and executes it directly in the system shell without verification. This allows the domain owner to execute arbitrary code on the host machine.
  • [COMMAND_EXECUTION] (HIGH): Execution of third-party CLI tools with broad permissions.
  • Evidence: The skill extensively uses the infsh tool, which is defined in the frontmatter allowed-tools: Bash(infsh *) and used for operations like infsh login and infsh app run.
  • Risk: Since the installation of this tool is untrusted, all subsequent calls to the tool inherit the same risk of arbitrary code execution.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): Unverifiable external dependencies.
  • Evidence: The 'Related Skills' section encourages installing additional skills via npx skills add inferencesh/skills@....
  • Risk: This expands the attack surface by pulling in more external, unvetted code from the same untrusted source.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://cli.inference.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 06:29 AM