social-media-carousel
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (CRITICAL): The skill includes the command
curl -fsSL https://cli.inference.sh | sh. This is a high-risk pattern that downloads and executes code from the internet in a single step. Since 'inference.sh' is not on the list of trusted providers, this is flagged as a critical security risk. - REMOTE_CODE_EXECUTION (CRITICAL): The use of piped shell execution (
| sh) on untrusted remote content is a direct path for remote code execution. This allows the host at cli.inference.sh to execute any command on the local machine with the permissions of the current shell. - COMMAND_EXECUTION (MEDIUM): The skill heavily utilizes the
infshCLI tool to run remote 'apps' (e.g.,infsh/html-to-image). While this is central to its stated purpose of carousel generation, it represents an ongoing execution of external code within the local environment, expanding the attack surface.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata