agent-tools
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the user or agent to install a CLI tool using the pattern
curl -fsSL https://cli.inference.sh | sh. This method executes a remote script directly in the shell without version pinning or integrity verification, posing a risk of executing unverified code from an external domain. - [COMMAND_EXECUTION]: The CLI reference documentation suggests commands that modify system-wide configuration files, such as writing bash completions to
/etc/bash_completion.d/infsh. Modifying system directories typically requires elevated privileges and can affect host security and stability. - [DATA_EXFILTRATION]: The
beltCLI tool includes functionality to automatically upload local files to theinference.shcloud service when a file path is provided in the input JSON (e.g.,belt app run ... --input '{"image": "/path/to/photo.jpg"}'). This creates an attack surface where sensitive local files, such as credentials or private keys, could be exfiltrated if the agent is directed to process them. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes outputs from external AI applications which could contain malicious instructions.
- Ingestion points: Data returned from
belt app runorbelt task getcommands. - Boundary markers: None identified; there are no instructions for the agent to ignore or delimit embedded commands within the tool's output.
- Capability inventory: The skill is granted
Bash(belt *)access and has the capability to upload local data to remote servers. - Sanitization: No evidence of output validation or sanitization before the data is returned to the agent's context.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata