agent-tools
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's installation instructions recommend piping a remote script directly into the shell (
curl -fsSL https://cli.inference.sh | sh), which executes unverified code. Additionally, manual installation steps dynamically parse a remote manifest to construct download URLs for execution.- [EXTERNAL_DOWNLOADS]: The skill downloads CLI binaries, checksums, and metadata fromcli.inference.shanddist.inference.shduring setup and updates.- [COMMAND_EXECUTION]: The skill requires Bash tool access to executeinfshcommands, manage local file paths, and perform system installation tasks.- [DATA_EXFILTRATION]: The CLI is designed to automatically upload local files (images, audio, etc.) to the vendor's cloud servers when file paths are provided in app inputs. This functionality allows local data to be transmitted to external infrastructure for processing.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata