ai-marketing-videos

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • REMOTE_CODE_EXECUTION (CRITICAL): The skill includes the command curl -fsSL https://cli.inference.sh | sh, which downloads and immediately executes a shell script from a non-trusted external source. This is a classic RCE pattern that grants the remote server full control over the local execution environment.
  • COMMAND_EXECUTION (HIGH): The skill relies on the infsh CLI tool and uses complex Bash patterns including loops, variable interpolation, and file redirections. Because these commands are based on tools installed via the unverified RCE script, the entire execution chain is compromised.
  • EXTERNAL_DOWNLOADS (MEDIUM): Multiple references to resources on inference.sh are present. This domain is not recognized as a trusted provider, and the skill bypasses standard package managers to install executable code.
  • PROMPT_INJECTION (LOW): The skill dynamically constructs JSON inputs for the infsh tool using user-provided prompts. This creates a surface for indirect prompt injection where a malicious prompt could attempt to escape the JSON structure or influence subsequent tool calls.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 07:19 AM
Security Audit — agent-trust-hub — ai-marketing-videos