building-inferencesh-apps
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs developers to install the CLI and other requirements by piping remote scripts from
cli.inference.sh,astral.sh,fnm.vercel.app, and GitHub directly into system shells (sh,bash,iex). This occurs inSKILL.mdandreferences/cli.md. While these are standard installation methods for the referenced technology stacks (Astral/UV, Node.js version managers), executing unverified remote code is a significant security risk. - [COMMAND_EXECUTION]: In
references/cli.md, the installation instructions for Windows users include a command that explicitly bypasses the PowerShell execution policy (-ExecutionPolicy ByPass). This configuration allows the execution of scripts that would normally be restricted by the operating system's security settings. - [PROMPT_INJECTION]: The skill documents an architecture for building AI applications that process untrusted data (user prompts), creating an attack surface for indirect prompt injection.
- Ingestion points: Data enters the agent context through the
AppInputandRunInputschemas defined inreferences/python-app-logic.mdandreferences/node-app-logic.md. - Boundary markers: The templates do not implement delimiters or explicit instructions to ignore embedded commands in the processed input.
- Capability inventory: Deployed apps have access to the file system (
node:fs,PIL), network operations (httpx), and sensitive credentials (environment secrets). - Sanitization: The provided logic templates do not include validation or sanitization of external content, leaving security entirely to the developer's implementation.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata