twitter-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill instructs users to run
curl -fsSL https://cli.inference.sh | sh. This is a classic RCE vector that executes a remote script with local privileges. The domaininference.shis not a trusted source, making this extremely dangerous. - Indirect Prompt Injection (HIGH):
- Ingestion points: Processes output from external AI services (falai, Google) and user-provided JSON files (e.g.,
input.json) to generate social media content. - Boundary markers: None. Data is interpolated directly into command arguments.
- Capability inventory: The skill possesses extensive write capabilities, including posting tweets, sending direct messages (DMs), following users, and deleting content.
- Sanitization: There is no evidence of sanitization or filtering. Malicious instructions embedded in external AI outputs or user data could trick the agent into performing unauthorized account actions.
- External Downloads (HIGH): The skill promotes the installation of further unverified extensions via
npx skills add inferencesh/skills, expanding the attack surface through untrusted third-party code. - Command Execution (MEDIUM): The YAML frontmatter grants broad execution rights to the
infshutility viaallowed-tools: Bash(infsh *), which is the primary interface for all sensitive operations.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://cli.inference.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata