agent-tools
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and execute an installation script directly from the vendor's domain at
https://cli.inference.shusing acurl | shpipeline to install thebeltCLI tool. - [DATA_EXFILTRATION]: The
beltCLI features an automatic file detection mechanism that identifies local file paths provided in input parameters and uploads the contents of those files to theinference.shcloud infrastructure for processing. This poses a significant risk of accidental or malicious exfiltration of sensitive files, such as environment variables or credentials, if they are passed as inputs to the tool. - [COMMAND_EXECUTION]: The skill requires access to the
Bashtool to perform CLI installation, authentication, and execution of various AI tasks through thebeltcommand-line utility. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes external prompts and data for delivery to third-party AI models. 1. Ingestion points: Input parameters for the
belt app runcommand found inSKILL.mdandreferences/running-apps.md. 2. Boundary markers: No delimiters or explicit instructions to ignore embedded commands are present. 3. Capability inventory: Command execution via theBashtool as defined in the skill's frontmatter. 4. Sanitization: No sanitization or validation of input data is documented before the content is passed to the execution environment.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata