building-inferencesh-apps
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to install the belt CLI and other development tools (uv, fnm, nvm) by piping scripts from remote URLs directly into shell interpreters (sh, bash, powershell). Evidence: 'curl -fsSL https://cli.inference.sh | sh' in SKILL.md and references/cli.md; 'curl -LsSf https://astral.sh/uv/install.sh | sh' in references/cli.md.
- [COMMAND_EXECUTION]: Installation steps for Windows include bypassing the PowerShell execution policy, which reduces system protection to allow the execution of unverified scripts. Evidence: 'powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"' in references/cli.md.
- [DATA_EXFILTRATION]: The skill demonstrates how to use environment variables to manage sensitive credentials like OPENAI_API_KEY and HF_TOKEN. While this is a standard practice for development, the templates also show the capability to write files to /tmp and transmit data to external APIs. Evidence: Use of os.environ['API_KEY'] and httpx.AsyncClient in the API-Wrapper template in SKILL.md.
- [PROMPT_INJECTION]: The skill teaches patterns for processing untrusted user data (AppInput.prompt) within applications that have network and filesystem capabilities. 1. Ingestion points: AppInput and RunInput schemas defined in SKILL.md and reference files. 2. Boundary markers: None provided in implementation templates. 3. Capability inventory: Use of httpx (Python) or fetch (Node.js) for network access, and open() or fs for writing output files to /tmp. 4. Sanitization: No input validation or escaping logic is included in the tutorial code.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata