The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation instructions recommend piping a script from a remote URL (https://cli.inference.sh) directly into the shell. This pattern executes unverified remote code on the host machine and is inherently risky.
[COMMAND_EXECUTION]: The Bash templates in the skill's documentation demonstrate a pattern of capturing output from search tools (Tavily, Exa) into environment variables and interpolating them directly into subsequent shell commands (e.g., infsh app run ... --input "{... $SEARCH_RESULT ...}"). This construction is vulnerable to shell command injection if the retrieved search results contain special characters (like backticks, dollar signs, or escaped quotes) that can escape the JSON string and execute arbitrary commands in the shell environment.
[PROMPT_INJECTION]: The RAG pipeline implementation is vulnerable to indirect prompt injection due to a lack of data sanitization and boundary separation.
Ingestion points: Untrusted data enters the agent context from the outputs of search and extraction tools such as tavily/search-assistant, exa/search, and tavily/extract.
Boundary markers: The examples do not use delimiters or instructions to ignore embedded commands to separate retrieved web content from the core system prompt.
Capability inventory: The agent possesses the capability to execute shell commands via infsh, which can perform further network requests, trigger other AI models, and access local resources.
Sanitization: No escaping or validation is performed on the retrieved web content before it is interpolated into the prompts for subsequent LLM calls.

ai-rag-pipeline