og-image-design
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends an installation procedure that pipes a remote script from https://cli.inference.sh directly into the shell (curl -fsSL ... | sh). This execution pattern allows arbitrary code from an external source to run on the local system with the user's current privileges, bypassing standard package manager verification.
- [EXTERNAL_DOWNLOADS]: Binary assets for the infsh CLI are downloaded from dist.inference.sh during the setup process. While the documentation claims SHA-256 verification is performed, the verification logic itself is contained within the downloaded script, which is executed immediately without prior inspection.
- [COMMAND_EXECUTION]: The skill requires the infsh CLI tool and executes various subcommands such as 'login' and 'app run'. These commands are executed via the Bash tool as specified in the skill's allowed-tools configuration, giving the skill access to system resources through the CLI.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates user-controlled HTML and prompt strings into CLI commands. 1. Ingestion points: The --input JSON payload in infsh app run commands within SKILL.md. 2. Boundary markers: JSON structure is used to encapsulate inputs, but there are no explicit delimiters or warnings for the agent to ignore embedded instructions within the HTML content. 3. Capability inventory: The skill can execute shell commands via infsh and interact with remote AI model APIs to generate images. 4. Sanitization: There is no evidence of validation or sanitization of the user-provided HTML or prompt strings before they are passed to the tool.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata