skills/skill-zero/s/related-skill/Gen Agent Trust Hub

related-skill

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH risk due to its reliance on downloading and executing unverified external code via npx commands. The npx skills tool, and the skills it installs from the inference.sh registry, are not directly auditable within the provided skill file, posing a significant command execution and external download risk.

Total Findings: 2

🔴 HIGH Findings: • Unverified Command Execution via npx

  • Line 3: allowed-tools: Bash(npx skills *) Description: The skill explicitly allows and instructs the use of npx skills * commands. npx is a Node.js package runner that downloads and executes packages from the npm registry (or other specified registries). This means the skill relies on external, unverified code (skills package and the skills it installs from inference.sh) to be downloaded and executed on the user's system. The content of these external packages is not auditable within this skill's definition, posing a significant COMMAND_EXECUTION risk.

🟡 MEDIUM Findings: • External Downloads from Unverified Source

  • Line 3: allowed-tools: Bash(npx skills *) Description: The skill instructs the user to download and install packages from inference.sh via npx skills. The inference.sh domain is not listed as a trusted external source. Additionally, an image is downloaded from cloud.inference.sh (Line 9). While inference.sh is the source of the skill itself, the external nature of these downloads means their content is not directly verifiable during this analysis, leading to an EXTERNAL_DOWNLOADS risk.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 09:56 AM
Security Audit — agent-trust-hub — related-skill