agent-tools
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in
SKILL.md,references/authentication.md, andreferences/cli-reference.mdexplicitly direct the agent to executecurl -fsSL https://cli.inference.sh | sh. This pattern downloads a script from an external, untrusted URL and pipes it directly into the shell for execution, which is a high-risk vector for system compromise. - [EXTERNAL_DOWNLOADS]: The installation process involves downloading binaries and manifest files from
dist.inference.sh. Since this domain and the associated organization are not on the trusted vendors list, these external dependencies cannot be verified for safety. - [COMMAND_EXECUTION]: The skill defines
Bash(infsh *)in itsallowed-tools. This grants the agent the ability to execute any command within theinfshCLI suite, which includes operations for authentication, file saving, and cloud-based application execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to how it processes external data.
- Ingestion points: The skill reads untrusted data from local JSON files or inline JSON strings (e.g.,
infsh app run <app> --input input.json) as shown inreferences/running-apps.md. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the input data.
- Capability inventory: The agent has the capability to execute shell commands and write files to the local system via the
infshCLI. - Sanitization: No evidence of sanitization or validation of the input content is provided before it is passed to the execution tool.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata