python-executor
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The documentation explicitly instructs the user to run
curl -fsSL https://cli.inference.sh | sh. This is a critical security anti-pattern that allows for arbitrary remote code execution with shell privileges without any form of verification or integrity checking. The domaininference.shis not a trusted source. - [Dynamic Execution] (MEDIUM): The skill is designed to execute dynamic Python code strings. While the documentation claims the environment is sandboxed, the execution of arbitrary code provided via inputs is a high-capability feature that significantly increases the attack surface if used with untrusted data.
- [Indirect Prompt Injection] (LOW): The skill is highly vulnerable to indirect prompt injection because it is intended to process data (like scraped web content) and generate Python code based on that data for immediate execution.
- Ingestion points: The
codeparameter in theinfsh app runcommand. - Boundary markers: Absent; there are no delimiters or instructions to prevent the interpreter from executing malicious logic embedded in the input strings.
- Capability inventory: Extensive capabilities including full network access via
requests,selenium, andplaywright, and file output capabilities. - Sanitization: Absent; the provided code is executed without any validation or security filtering.
- [Privilege Escalation] (MEDIUM): The skill requests permission for the
Bashtool with the commandinfsh *. This allows an agent to execute various commands through the third-party CLI, which could lead to unauthorized operations if the CLI itself has vulnerabilities or broad permissions.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata