explainer-video-guide
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references an installation script for the infsh CLI tool from the vendor's GitHub repository. Evidence: The script is located at https://raw.githubusercontent.com/inference-sh/skills/refs/heads/main/cli-install.md.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using the infsh utility and npx to manage media production and skill installation. Evidence: Commands such as infsh app run, infsh login, and npx skills add are utilized throughout the guide.
- [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection by processing untrusted user input and passing it to command-line tools. 1. Ingestion points: User-provided prompts for video and audio generation in SKILL.md. 2. Boundary markers: Absent; user input is interpolated into command arguments without explicit separators or guardrails. 3. Capability inventory: Shell command execution via the Bash tool as defined in the skill frontmatter. 4. Sanitization: Absent; no validation or escaping of external content is specified before tool invocation.
Audit Metadata