skills/skill-zero/s/google-veo/Gen Agent Trust Hub

google-veo

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill explicitly instructs the agent or user to execute curl -fsSL https://cli.inference.sh | sh. This is a classic 'curl pipe to sh' attack vector that downloads and executes code from an untrusted third-party source with full shell privileges. The contents of this remote script can be changed at any time by the site owner, leading to total system compromise.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill relies on multiple external dependencies and sub-skills hosted on inference-sh, which is not a trusted organization. It uses npx to dynamically pull and execute skills from this unknown source.
  • [COMMAND_EXECUTION] (MEDIUM): The skill requests broad Bash execution permissions for the infsh command. Since this tool is installed via the critical RCE method mentioned above, any command executed through it is inherently untrusted and potentially malicious.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 07:19 AM
Security Audit — agent-trust-hub — google-veo