Trust Assessment
web-search received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Broad Bash execution permission for `infsh` CLI, Potential for Command Injection through `infsh` `--input`, Data Exfiltration via `infsh` and file redirection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Bash execution permission for `infsh` CLI The skill declares `Bash(infsh *)` as an allowed tool. This grants the agent the ability to execute any command starting with `infsh` via the system's Bash shell. The `infsh` CLI is a powerful external tool that interacts with various web services (Tavily, Exa, OpenRouter) and potentially the local filesystem. This broad permission increases the attack surface, as a compromised agent could leverage `infsh` for unintended operations, including data exfiltration, system reconnaissance, or interaction with arbitrary external APIs if `infsh` supports such functionality. Restrict Bash permissions to the absolute minimum required. If `infsh` only needs to run specific subcommands (e.g., `infsh app run`), consider `Bash(infsh app run)` instead of `Bash(infsh *)`. Implement strict input validation and sanitization for all arguments passed to `infsh` commands. | LLM | Manifest | |
| HIGH | Potential for Command Injection through `infsh` `--input` The skill's examples demonstrate using `infsh app run` with a JSON string provided via the `--input` argument (e.g., `infsh app run tavily/search-assistant --input '{"query": "..."}'`). If the agent constructs this JSON string using untrusted user input without proper escaping or validation, a malicious user could potentially inject arbitrary JSON fields or attempt to break out of the JSON string to execute arbitrary shell commands. Given the `Bash(infsh *)` permission, a successful injection could lead to arbitrary command execution. The agent must strictly validate and sanitize all user-provided input before incorporating it into the `--input` JSON string. This includes proper JSON escaping of special characters and, ideally, schema validation of the input. Consider using a dedicated JSON parsing/building library rather than string concatenation. If possible, use a tool invocation mechanism that does not involve shell execution for arguments. | LLM | SKILL.md:15 | |
| MEDIUM | Data Exfiltration via `infsh` and file redirection The skill enables the agent to perform web searches and content extraction using `infsh` commands, which inherently involves sending data (queries, URLs) to external third-party services (Tavily, Exa). Furthermore, the examples demonstrate redirecting the output of `infsh` commands to local files (e.g., `search_results.json`, `content.json`). If the agent is prompted to process or save sensitive user data, this data could be inadvertently exposed to external services or stored locally in an insecure manner, potentially leading to exfiltration if the agent is further instructed to transmit or upload these files. Implement strict data handling policies for the agent. Ensure sensitive data is not passed to external services unless explicitly authorized. If data is saved to local files, ensure proper access controls are in place and that the agent is not instructed to transmit or upload these files without explicit user consent and security checks. | LLM | SKILL.md:57 | |
| MEDIUM | Reliance on external CLI installation via `curl | sh` The "Quick Start" section instructs users to install the `inference.sh` CLI using `curl -fsSL https://cli.inference.sh | sh`. This method executes a script directly from the internet without prior inspection, posing a significant supply chain risk. If the `cli.inference.sh` server or script is compromised, an attacker could inject malicious code, leading to arbitrary code execution on the user's system during installation. While this is a user-side installation step and not directly executed by the agent, it's a critical security concern for anyone adopting this skill. Recommend alternative, more secure installation methods, such as package managers (e.g., `apt`, `brew`, `npm install -g`) with cryptographic verification, or providing a downloadable binary with checksums. Users should be advised to inspect scripts before execution. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/27be710b76bc0149)
Powered by SkillShield