Trust Assessment
ai-avatar-video received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Unverified remote script execution for CLI installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/okaris/ai-avatar-video/SKILL.md:9 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/okaris/ai-avatar-video/SKILL.md:9 | |
| HIGH | Unverified remote script execution for CLI installation The skill recommends installing the `infsh` CLI by piping `curl` output directly to `sh`. This method executes code downloaded from an external URL (`https://cli.inference.sh`) without any integrity checks (e.g., hash verification). If the remote server is compromised, malicious code could be executed on the agent's host system, leading to full system compromise. Avoid piping `curl` output directly to `sh`. Instead, recommend a more secure installation method, such as downloading a verified package, using a package manager with integrity checks, or providing a hash for manual verification. | LLM | SKILL.md:9 | |
| HIGH | Broad Bash wildcard permission for `infsh` commands The skill declares `Bash(infsh *)` as an allowed tool in its manifest. This grants the LLM the ability to execute *any* command starting with `infsh` with arbitrary arguments. This broad permission significantly increases the attack surface. If the `infsh` CLI itself has commands that can perform sensitive operations (e.g., file system access, network requests, credential management via `infsh login`), an attacker could craft prompts to exploit these capabilities, leading to data exfiltration, command injection, or credential harvesting. Restrict Bash permissions to the absolute minimum required. Instead of `Bash(infsh *)`, specify exact `infsh` subcommands and argument patterns that are truly necessary for the skill's functionality (e.g., `Bash(infsh app run)`, `Bash(infsh app list)`). If possible, wrap `infsh` calls in a more controlled script that sanitizes inputs. | LLM | SKILL.md | |
| MEDIUM | Unpinned external skill dependencies via `npx skills add` The skill recommends adding related skills using `npx skills add inference-sh/agent-skills@inference-sh` without specifying a version. This means that the latest version of the `inference-sh/agent-skills` package will always be fetched. If a malicious update is pushed to this package, it could compromise the agent's environment by introducing new, unverified code. Pin external skill dependencies to specific, known-good versions (e.g., `npx skills add inference-sh/agent-skills@inference-sh@1.2.3`) to ensure reproducibility and prevent unexpected or malicious updates. | LLM | SKILL.md:89 |
Scan History
Embed Code
[](https://skillshield.io/report/bcc0315e74613a23)
Powered by SkillShield