The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documentation instructs users to execute a remote script via 'curl -fsSL https://cli.inference.sh | sh'. This 'curl pipe sh' pattern from a non-trusted domain allows for arbitrary code execution on the host system without prior verification.
[EXTERNAL_DOWNLOADS]: The installation process fetches binary files from 'dist.inference.sh'. While the skill mentions SHA-256 verification in manual steps, the automated installation script downloads and executes resources from the internet at runtime.
[COMMAND_EXECUTION]: The skill defines an 'allowed-tools' permission for 'Bash(infsh *)'. This provides the AI agent with broad shell access to all subcommands of the downloaded 'infsh' CLI, which includes deploying apps and managing system configurations.
[COMMAND_EXECUTION]: The CLI reference provides instructions for writing shell completion scripts to '/etc/bash_completion.d/'. Modifying system directories is a sensitive operation that typically requires elevated (root/sudo) privileges and can affect system integrity.
[CREDENTIALS_UNSAFE]: The skill manages authentication through 'INFSH_API_KEY' environment variables and stores tokens locally via the 'infsh login' command, which presents a risk of credential exposure if the local environment is compromised.
[PROMPT_INJECTION]: The skill processes untrusted data which presents a surface for indirect prompt injection. Ingestion points: External data is ingested through the '--input' flag in 'infsh app run', often from JSON files. Boundary markers: The skill lacks explicit markers or instructions to help the underlying AI models distinguish between data and commands. Capability inventory: The skill has network access to AI providers and shell execution capabilities. Sanitization: There is no evidence of input validation or sanitization before data is passed to the AI applications.

agent-tools