skills/skill-zero/s/text-to-speech/Gen Agent Trust Hub

text-to-speech

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill instructs the agent/user to install the CLI using curl -fsSL https://cli.inference.sh | sh. This is a critical security risk as it executes unverified code from an untrusted external source directly in the system shell. Although this is the primary installation method for the service, it remains a high-severity finding.
  • [EXTERNAL_DOWNLOADS] (HIGH): The documentation encourages the use of npx skills add inference-sh/skills@..., which downloads and executes packages from a non-whitelisted source. This creates a vector for supply chain attacks or execution of malicious third-party code.
  • [COMMAND_EXECUTION] (MEDIUM): The skill's configuration grants the agent permission to execute any command starting with infsh. This provides broad capability to interact with the local filesystem and remote services, which could be exploited if the agent is manipulated via prompt injection.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 07:24 AM
Security Audit — agent-trust-hub — text-to-speech