The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The SKILL.md file explicitly guides the agent or user to run curl -fsSL https://cli.inference.sh | sh. This is a confirmed critical vulnerability where an external script is executed directly in the shell without any prior verification. Since 'inference.sh' is not a trusted source, this allows for arbitrary command execution on the host machine.
EXTERNAL_DOWNLOADS (HIGH): The skill downloads and installs packages and CLI tools from 'inference.sh' and via npx skills add. These sources are not part of the trusted organization list, and the downloads lack version pinning or cryptographic hash verification to ensure file integrity.
COMMAND_EXECUTION (MEDIUM): The skill defines allowed-tools: Bash(infsh *), which grants the agent broad authority to execute any subcommand of the infsh utility. This provides a significant attack surface if the agent is manipulated via prompt injection.
DATA_EXFILTRATION (MEDIUM): The skill involves the command infsh login, which handles sensitive Twitter/X API credentials and session tokens. Because the underlying tool is installed from an untrusted source, these credentials are at high risk of being exfiltrated to a third party.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted user data for social media posts. Ingestion points: The text and media_url parameters in the JSON input for Twitter apps. Boundary markers: None are used to separate user data from instructions. Capability inventory: The infsh tool can post, delete, and direct message, providing an attacker with a vector to distribute malicious links or spam. Sanitization: No input validation or sanitization is performed on the data passed to the shell.

twitter-automation