building-inferencesh-apps
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to install the
infshCLI by piping a script downloaded fromhttps://cli.inference.shdirectly into the shell (sh). This method executes a remote script on the host without intermediate verification. - [EXTERNAL_DOWNLOADS]: Fetches multiple tools and dependencies from external providers:
- Downloads the
uvPython tool from Astral's official installation endpoints (astral.sh). - Retrieves the
fnmNode.js version manager from Vercel's official installation script. - Fetches the
nvmmanager from its official GitHub repository. - [COMMAND_EXECUTION]: Employs shell commands for app lifecycle management (
infsh app init,infsh app test,infsh app deploy). It also provides a PowerShell command withExecutionPolicy ByPassfor dependency installation on Windows, which bypasses local script execution restrictions. - [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection.
- Ingestion points: Untrusted external data enters the app context via
AppInput(Python) andRunInput(Node.js) schemas, particularly throughpromptandimageUrlfields inSKILL.mdand related logic files. - Boundary markers: The provided templates and implementation guides lack explicit delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: Apps following these templates possess broad system capabilities, including file system access (
open,writeFileSync), network requests (httpx,OpenAI), and project management via theinfshCLI. - Sanitization: No evidence of input validation, escaping, or sanitization logic is provided in the recommended development patterns.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata