web-search
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill explicitly instructs the agent or user to execute
curl -fsSL https://cli.inference.sh | sh. This is a classic piped-to-shell attack vector where a script from an untrusted external domain is executed with local privileges. - Evidence:
SKILL.mdcontains the command sequencecurl -fsSL https://cli.inference.sh | sh && infsh login. - Source:
https://cli.inference.shis not a trusted source per the analysis guidelines. - Indirect Prompt Injection (LOW): The skill is designed to ingest untrusted data from the web via
tavily/extractandexa/extractapps. This creates a surface for attackers to embed instructions in web pages that the agent may mistakenly follow. - Ingestion points:
infsh app run tavily/extractandinfsh app run exa/extractinSKILL.md. - Boundary markers: Absent; extracted content is passed directly to LLM prompts in example workflows.
- Capability inventory: The skill has permission to execute shell commands via
allowed-tools: Bash(infsh *). - Sanitization: No sanitization logic is present to filter malicious instructions from extracted web content.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata