prompt-engineering
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill explicitly directs the agent or user to execute a remote script using the dangerous
curl | shpattern (curl -fsSL https://cli.inference.sh | sh). This provides the remote server with full control over the local execution environment. - [COMMAND_EXECUTION] (HIGH): The shell commands constructed in the skill, such as
infsh app run ... --input '...', use simple single quotes for wrapping input. If the provided input (e.g., code snippets in the 'Code Review' template) contains single quotes, an attacker can break out of the command and execute arbitrary shell instructions. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It is designed to ingest and process untrusted external data (e.g., articles, code, customer reviews) and pass it to AI models. Evidence Chain: 1. Ingestion: Places untrusted data in templates like
[code]or[article text]inSKILL.md. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill utilizes theBash(infsh *)tool, granting it the ability to execute commands and communicate over the network. 4. Sanitization: Absent; input is directly interpolated into prompts and shell commands. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses
npx skills addto download and install additional skills from an external, unverified source (inferencesh/skills).
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://cli.inference.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata