agent-tools
Fail
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends installation using a piped shell command (
curl -fsSL https://cli.inference.sh | sh), which executes code from a remote server without verification in the local shell environment.\n- [EXTERNAL_DOWNLOADS]: The installation process fetches binary files and manifest data fromdist.inference.shandcli.inference.sh.\n- [COMMAND_EXECUTION]: The documentation provides commands for setting up shell completions that involve writing directly to system-level directories such as/etc/bash_completion.d/. This operation typically requires administrative privileges and involves modifying system-wide configuration files.\n- [DATA_EXFILTRATION]: ThebeltCLI tool is designed to automatically read and upload local files (such as images, audio, and videos) to the vendor's cloud platform when local file paths are provided as input parameters for AI application tasks.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting user-provided data and prompts that are subsequently processed by external AI models, which can influence agent behavior via model outputs.\n - Ingestion points: User prompts and local file paths are passed as arguments to the
belt app runcommand as seen inSKILL.mdandreferences/running-apps.md.\n - Boundary markers: No specific delimiters or instructions to ignore embedded commands within the data are present in the provided templates.\n
- Capability inventory: The agent has the capability to execute shell commands and perform network uploads via the
beltCLI.\n - Sanitization: No input validation or content filtering mechanisms are described for the data being sent to the remote AI services.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata