prompt-engineering
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references an external installation script hosted on a GitHub repository (https://raw.githubusercontent.com/inference-sh/skills/refs/heads/main/cli-install.md) for setting up the required CLI tool.
- [REMOTE_CODE_EXECUTION]: The documentation suggests using 'npx skills add' to install further components from the inference-sh/skills repository. Using npx with external identifiers facilitates the dynamic download and execution of remote code at runtime.
- [COMMAND_EXECUTION]: The skill makes extensive use of the 'infsh' command-line tool. While its use in Bash is explicitly restricted to only allow commands starting with 'infsh' in the skill's frontmatter (limiting potential command injection), the tool itself is a third-party executable.
Audit Metadata