Skills
skills/jstarfilms/vibecode-protocol-suite/ai-avatar-video/Gen Agent Trust Hub

ai-avatar-video

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • REMOTE_CODE_EXECUTION (CRITICAL): The skill instructs the user/agent to execute curl -fsSL https://cli.inference.sh | sh. This pattern is highly dangerous as it executes unverified code from an external, untrusted source with the permissions of the current user.
  • EXTERNAL_DOWNLOADS (HIGH): The skill relies on an external binary and installation script from inference.sh, which is not a trusted source according to the established security policy.
  • COMMAND_EXECUTION (HIGH): The skill uses the Bash tool to execute infsh commands. Since the source of infsh is untrusted, these commands represent a high risk of malicious side effects.
  • INDIRECT_PROMPT_INJECTION (HIGH): The skill processes untrusted external data in the form of image_url, audio_url, and video_url. There is no evidence of sanitization or boundary markers (Category 8). An attacker could provide a URL that, when processed by the infsh CLI, triggers unexpected behavior or exfiltrates local information via the CLI's network capabilities.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://cli.inference.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 06:08 AM