Skills
skills/inference-skills/skills/agent-tools/Gen Agent Trust Hub

agent-tools

Fail

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent and the user to install the required CLI tool by piping a remote script directly into a shell (curl -fsSL https://cli.inference.sh | sh). This pattern provides an unverified external source with full execution privileges on the host system without prior inspection.\n- [DATA_EXFILTRATION]: A primary feature of the skill is the "Local File Uploads" capability, which instructs the agent to read local file paths and transmit their content to the inference.sh cloud. This creates a direct path for data exfiltration if the agent is directed to process sensitive files such as SSH keys, environment variables, or private configuration files.\n- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute complex CLI commands that can modify the host system's configuration. This includes writing shell completion scripts to system-wide directories (e.g., /etc/bash_completion.d/) and managing local authentication states, which can be used to establish persistence or intercept shell interactions.\n- [EXTERNAL_DOWNLOADS]: The installation and update procedures involve downloading pre-compiled binary executables from dist.inference.sh. This introduces a supply chain dependency on unverified external infrastructure for the delivery of executable code.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) due to the following factors:\n
  • Ingestion points: The agent processes output (JSON and text) from over 250 external AI applications, including LLM responses and web search results, via the belt app run and belt task get commands.\n
  • Boundary markers: There are no provided instructions or delimiters to ensure the agent treats this external content as untrusted or to ignore embedded instructions within the data.\n
  • Capability inventory: The agent retains the ability to execute shell commands, write files to the local disk, and upload local files to remote servers while processing this untrusted input.\n
  • Sanitization: No sanitization or validation mechanisms are described for the data returned from the external services before it is integrated into the agent's context.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
May 7, 2026, 02:41 AM
Security Audit — agent-trust-hub — agent-tools