video-prompting-guide
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The command
curl -fsSL https://cli.inference.sh | shis used to download and execute code from an untrusted external source. This pattern is a high-risk security vulnerability that allows for arbitrary code execution with the user's shell privileges. - EXTERNAL_DOWNLOADS (MEDIUM): The skill utilizes
npx skills addto install multiple unverified third-party packages from theinference-shscope. These dependencies do not come from the defined list of trusted organizations. - COMMAND_EXECUTION (MEDIUM): The skill relies on the
infshCLI tool to run remote applications and perform logins. This involves executing external binaries and potentially sending data to remote servers. - PROMPT_INJECTION (LOW): The skill provides templates for video generation prompts that process user-supplied input. It lacks sanitization or boundary markers, creating a surface for indirect prompt injection.
- Ingestion points: The
promptandinputfields within theinfsh app runcommands. - Boundary markers: None present in the prompt templates.
- Capability inventory: File execution via
Bashtool, network access viacurlandinfsh. - Sanitization: No escaping or validation of user-provided prompt strings is demonstrated.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata