Skills
skills/tul-sh/skills/video-ad-specs/Gen Agent Trust Hub

video-ad-specs

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill recommends installing a CLI tool using the command curl -fsSL https://cli.inference.sh | sh. This pattern is highly insecure as it executes a remote script with shell privileges without prior inspection or verification of the content.
  • [REMOTE_CODE_EXECUTION]: The 'Related Skills' section uses npx skills add, which downloads and executes packages from the npm registry at runtime, introducing another vector for remote code execution.
  • [COMMAND_EXECUTION]: The allowed-tools metadata specifies Bash(infsh *), which permits the agent to execute any command starting with infsh. This provides a broad attack surface for command injection or unintended tool usage if input is not properly sanitized.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external services and AI models (e.g., from ByteDance, Google, and Fal.ai) accessed through the infsh tool. These dependencies involve outbound network requests and the processing of data on third-party infrastructure.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 12:29 PM