video-prompting-guide

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): The command curl -fsSL https://cli.inference.sh | sh is used to download and execute code from an untrusted external source. This pattern is a high-risk security vulnerability that allows for arbitrary code execution with the user's shell privileges.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill utilizes npx skills add to install multiple unverified third-party packages from the inference-sh scope. These dependencies do not come from the defined list of trusted organizations.
  • COMMAND_EXECUTION (MEDIUM): The skill relies on the infsh CLI tool to run remote applications and perform logins. This involves executing external binaries and potentially sending data to remote servers.
  • PROMPT_INJECTION (LOW): The skill provides templates for video generation prompts that process user-supplied input. It lacks sanitization or boundary markers, creating a surface for indirect prompt injection.
  • Ingestion points: The prompt and input fields within the infsh app run commands.
  • Boundary markers: None present in the prompt templates.
  • Capability inventory: File execution via Bash tool, network access via curl and infsh.
  • Sanitization: No escaping or validation of user-provided prompt strings is demonstrated.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 10:56 AM
Security Audit — agent-trust-hub — video-prompting-guide