agent-tools
Fail
Audited by Snyk on Jul 7, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include an instruction to curl a remote installer and pipe it to sh (https://cli.inference.sh) and direct distribution endpoints (dist.inference.sh/cli/manifest.json and checksums.txt) — piping a remote installer and fetching binaries from a non-system package source is a high-risk pattern that can be used to distribute malware unless you independently verify signatures and checksums.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The docs include a direct curl-and-sh installer command (curl -fsSL https://cli.inference.sh | sh) which fetches and executes remote code from https://cli.inference.sh (and downloads binaries from dist.inference.sh), so the skill requires executing remote remote code at install/runtime.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata