The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documentation instructs both the user and the agent to install the CLI tool by piping a remote script from 'https://cli.inference.sh' directly into a shell. This method executes unverified code from an external source without prior inspection, providing a direct vector for arbitrary code execution.
[DATA_EXFILTRATION]: The 'infsh app run' command includes a feature that automatically detects local file paths provided in the input JSON and uploads the corresponding files to the vendor's cloud infrastructure. This functionality can be abused via indirect prompt injection to exfiltrate sensitive system files, such as SSH keys or environment configuration files, by inducing the agent to pass these paths as arguments to the tool.
[PROMPT_INJECTION]: The skill operates as a gateway for processing data from third-party AI models and web search tools, creating a surface for indirect prompt injection. Malicious instructions contained in the output of these external apps could influence the agent's logic. Evidence Chain: (1) Ingestion points: Results from 'infsh app run' for models like Claude, Gemini, or Tavily search. (2) Boundary markers: Absent; the skill does not define delimiters to separate untrusted tool output from instructions. (3) Capability inventory: Subprocess execution via Bash, file reading for uploads, and network transmission. (4) Sanitization: Absent; the agent is not instructed to filter or validate the contents of the returned data.
[COMMAND_EXECUTION]: The skill relies on the Bash tool to execute various 'infsh' commands. The instructions also suggest writing to '/etc/bash_completion.d/', an operation that typically requires elevated (root/sudo) privileges, which constitutes a potential privilege escalation vector.
[EXTERNAL_DOWNLOADS]: The skill performs several external requests to 'dist.inference.sh' to fetch binary manifests, checksums, and executable files during both installation and update procedures.

agent-tools