Prompt Engineering

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed prompt-engineering helper that uses the inference.sh CLI, but users should review its installer before running it.

Install only if you trust inference.sh and are comfortable authenticating its CLI. Prefer manual download or checksum verification over piping a remote script into `sh`, and do not include secrets or sensitive private content in prompts sent to external model providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill is presented as a prompt-engineering guide, but it instructs the user to install and authenticate a third-party CLI via shell commands. That expands the skill from informational guidance into software installation and execution, increasing the attack surface and making users more likely to run unreviewed commands in a trusted workflow.

External Script Fetching

High

Category: Supply Chain
Content: ## Quick Start ```bash curl -fsSL https://cli.inference.sh | sh && infsh login # Well-structured LLM prompt infsh app run openrouter/claude-sonnet-45 --input '{
Confidence: 97% confidence
Finding: curl -fsSL https://cli.inference.sh | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal