Skills
skills/inferencesh/skills/storyboard-creation/Gen Agent Trust Hub

storyboard-creation

Fail

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the user to install the infsh CLI by piping a script from https://cli.inference.sh directly to the shell (curl | sh). This is a standard installation method provided by the vendor.
  • [COMMAND_EXECUTION]: The skill utilizes the infsh tool via the Bash capability to run applications such as falai/flux-dev-lora and infsh/stitch-images for image generation and processing.
  • [EXTERNAL_DOWNLOADS]: Additional skill modules are referenced and downloaded using the npx skills add command, which fetches packages from the vendor's repository.
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by interpolating natural language prompts into CLI commands without explicit validation or boundary markers. 1. Ingestion points: prompt fields in infsh app run calls within SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Execution of CLI tools via Bash(infsh *). 4. Sanitization: Absent in provided examples.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 18, 2026, 11:00 AM