Trust Assessment
product-photography received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Potential Data Exfiltration via `infsh` local file access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/okaris/product-photography/SKILL.md:9 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/okaris/product-photography/SKILL.md:9 | |
| HIGH | Potential Data Exfiltration via `infsh` local file access The skill is granted `Bash(infsh *)` permissions, allowing it to execute any command starting with `infsh`. The example `infsh app run bytedance/seededit-3-0-i2i --input '{"image": "headphones-white.png"}'` demonstrates that the `infsh` tool can accept local file paths as input for its `--input` argument. If the skill constructs this JSON input using untrusted user input, an attacker could provide a path to a sensitive local file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The `infsh` tool would then read this file and potentially upload its content to the `inference.sh` service, leading to data exfiltration. Restrict `Bash` permissions to specific `infsh` subcommands and arguments if possible (e.g., `Bash(infsh app run)`). Implement strict input validation and sanitization for any user-provided data used to construct `infsh` command arguments, especially file paths. Avoid passing arbitrary file paths from user input to `infsh`. | LLM | SKILL.md:204 | |
| HIGH | Risky `curl | sh` installation method in Quick Start The skill's "Quick Start" section instructs users to install the `infsh` CLI using `curl -fsSL https://cli.inference.sh | sh`. This method directly pipes a remote script into a shell for execution. This is a significant supply chain risk, as a compromise of the `inference.sh` domain or the hosted script could lead to arbitrary code execution on the user's system. While the AI agent itself is restricted by `Bash(infsh *)` and cannot execute this command, the skill package promotes this insecure practice to its users. Recommend a more secure installation method, such as using a package manager (e.g., `npm install -g infsh-cli`), or at least requiring users to inspect the script before execution (e.g., `curl -fsSL https://cli.inference.sh > infsh-install.sh && less infsh-install.sh && sh infsh-install.sh`). | LLM | SKILL.md:10 | |
| MEDIUM | Risky `npx` package execution for related skills The "Related Skills" section suggests installing other skills using `npx skills add inferencesh/skills@ai-image-generation`. `npx` fetches and executes Node.js packages. This introduces a supply chain risk, as a compromised or typosquatted `inferencesh/skills` package (or its dependencies) could lead to arbitrary code execution on the user's system. While the AI agent itself is restricted by `Bash(infsh *)` and cannot execute this command, the skill package promotes this practice to its users. If possible, recommend installing skills from trusted, curated sources or with explicit version pinning to mitigate risks from package updates or compromises. | LLM | SKILL.md:249 |
Scan History
Embed Code
[](https://skillshield.io/report/4e77191818711be7)
Powered by SkillShield