agent-tools
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Remote Code Execution (CRITICAL): The skill provides installation instructions in
SKILL.mdandreferences/authentication.mdthat usecurl -fsSL https://cli.inference.sh | sh. This is a classic RCE pattern where a script from an untrusted external domain is executed with the privileges of the current user without prior inspection. - External Downloads (HIGH): The installer downloads pre-compiled binaries from
dist.inference.sh. Asinference.shis not among the trusted providers defined in the safety scope, these binaries cannot be verified for integrity or absence of malicious code, posing a supply-chain risk. - Credential Management (LOW): The tool relies on
INFSH_API_KEYand a local configuration file populated viainfsh login. While standard for CLI applications, the skill context allows the agent to interact with these credentials, creating a potential path for exposure if the agent is manipulated. - Indirect Prompt Injection (LOW): The skill processes data from untrusted sources, specifically web search results (Tavily/Exa) and external AI model outputs.
- Ingestion points: Untrusted data enters via
infsh app runoutputs and search queries inreferences/app-discovery.mdandreferences/running-apps.md. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided reference materials.
- Capability inventory: The
Bash(infsh *)tool allows for network operations, file writing (--save), and Twitter automation (x/post-tweet). - Sanitization: No evidence of input sanitization or output escaping is found in the CLI reference.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata