product-photography
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's SKILL.md file contains an installation command
curl -fsSL https://cli.inference.sh | sh. This is a piped remote execution pattern from an unknown source, which is identified as a critical security risk because it allows arbitrary code to be executed on the host system without prior verification. - [EXTERNAL_DOWNLOADS]: The skill documentation encourages downloading the
infshCLI tool from a non-whitelisted third-party domain (inference.sh) that is not included in the trusted vendors or well-known services list. - [COMMAND_EXECUTION]: The skill requests permission to use
Bash(infsh *), which enables the execution of shell commands. While restricted to a specific binary, the binary itself is an unverified dependency from an untrusted remote source.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata