Skills
skills/inferencesh/skills/book-cover-design/Gen Agent Trust Hub

book-cover-design

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (CRITICAL): The skill provides a command curl -fsSL https://cli.inference.sh | sh which pipes remote content directly into a shell. This is a classic attack vector that allows an untrusted third party to execute arbitrary code on the host system without verification. The domain inference.sh is not on the list of trusted external sources.
  • External Downloads (HIGH): The skill uses npx skills add inference-sh/skills@... to fetch and integrate additional logic. Since the inference-sh organization is not a trusted provider, these dependencies are unverifiable and could contain malicious payloads.
  • Command Execution (HIGH): The skill relies extensively on the infsh CLI tool. Given its installation method (piped shell script) and untrusted origin, the tool's execution of remote 'apps' represents a significant security risk where the agent's capabilities are handed over to an unvetted binary.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 01:31 AM