background-removal
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The Quick Start section contains the command
curl -fsSL https://cli.inference.sh | sh. This pattern downloads a script from a remote URL and immediately executes it in the user's shell without any verification or integrity checks. This is a classic vector for arbitrary code execution. - COMMAND_EXECUTION (MEDIUM): The skill defines
allowed-tools: Bash(infsh *), which grants the AI agent the ability to run any subcommand associated with theinfshbinary. This broad permission increases the potential impact if the agent is manipulated into running malicious subcommands. - EXTERNAL_DOWNLOADS (LOW): The skill documentation suggests using
npx skills add inference-sh/skills@..., which triggers the download and installation of additional code packages from external registries. - DATA_EXPOSURE (LOW): The skill sends image URLs and text prompts to an external API (
inference.sh) for processing. While this is the primary purpose of the skill, users should be aware that data is being shared with a third-party service.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata