llm-models
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [METADATA_POISONING]: The skill's metadata and model table reference multiple non-existent model versions, such as 'Claude Opus 4.5', 'Claude Sonnet 4.5', 'Claude Haiku 4.5', and 'Gemini 3 Pro'. This deceptive information could lead an agent to prioritize this skill based on false claims of superior capabilities.\n- [REMOTE_CODE_EXECUTION]: The skill depends on the 'infsh' CLI tool, which must be installed from an external source. While the tool appears to be a vendor resource for 'tul-sh', its use involves executing external code whose internal logic is not verified within the skill's sandbox.\n- [COMMAND_EXECUTION]: The skill requests permission for 'Bash(infsh *)', granting the agent access to any subcommand of the 'infsh' utility. This broad scope could be exploited if the CLI tool contains dangerous or undocumented functionality.\n- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user prompts and returns results from external LLM providers. \n
- Ingestion points: Prompts are passed to 'infsh app run' via JSON input.\n
- Boundary markers: None; the skill does not use delimiters to separate user input from system instructions.\n
- Capability inventory: The 'infsh' CLI provides network access and potential local execution.\n
- Sanitization: No input validation or output filtering is implemented.
Audit Metadata