prompt-engineering
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill contains a piped-to-shell pattern for installation of the 'infsh' CLI. Evidence: 'curl -fsSL https://cli.inference.sh | sh' in SKILL.md. This allows the remote host to execute arbitrary code on the user's system without verification.
- [COMMAND_EXECUTION] (HIGH): The skill grants broad execution permissions for the 'infsh' tool via 'allowed-tools: Bash(infsh *)'. Given the untrusted installation source, this facilitates execution of potentially malicious code.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it processes external data through tools with side-effect capabilities. Mandatory Evidence Chain: 1. Ingestion points: Untrusted data enters via '[article text]' and '[code]' placeholders in SKILL.md templates. 2. Boundary markers: Absent; no delimiters or ignore-instructions are used. 3. Capability inventory: High; the agent can execute commands via 'infsh' to perform actions across various AI models. 4. Sanitization: Absent; the skill does not suggest any escaping or validation of the input content.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references several external dependencies from an unverified source (inferencesh/skills) via npx. Evidence: Related Skills section in SKILL.md.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://cli.inference.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata