skills/skill-zero/s/logo-design-guide/Gen Agent Trust Hub

logo-design-guide

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill explicitly includes the command 'curl -fsSL https://cli.inference.sh | sh' in the Quick Start section. This is a classic piped-to-shell remote code execution pattern that allows an untrusted third party to execute arbitrary code on the user's system.- [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and executes resources from 'https://cli.inference.sh', a domain that does not belong to the list of Trusted External Sources. This increases the risk of supply-chain attacks or malicious script injection.- [COMMAND_EXECUTION] (MEDIUM): The YAML frontmatter specifies 'allowed-tools: Bash(infsh *)', which grants broad execution privileges to any 'infsh' subcommand. This permissive configuration could be abused if the downloaded binary is malicious or if arguments are manipulated.- [DATA_EXPOSURE_AND_EXFILTRATION] (LOW): While no explicit exfiltration was detected, the 'infsh login' command indicates that the skill manages authentication tokens, which could be targeted by the untrusted binary downloaded in the RCE step.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 18, 2026, 11:01 AM
Security Audit — agent-trust-hub — logo-design-guide