100Critical
This skill allows arbitrary code execution and command injection via user
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Competitor Teardown: Structured competitive analysis with research and screenshots via [inference.sh](https://inference.sh) CLI.
Actually does
This skill uses the `inference.sh` CLI to perform structured competitive analysis. It executes commands to perform web searches via Tavily and Exa, extracts data from specified URLs, takes screenshots of websites using an agent browser, and runs Python code to generate a positioning map. It contacts external services for search, data extraction, and web browsing/screenshotting.
Skill Info
Nametool-belt/skills/competitor-teardown
Registrygithub
Versionb684df19dfd3
PURLpkg:github/tool-belt/skills@b684df19dfd3?skill=competitor-teardown
Stars414
Source
SHA-25614966bcff6c8...
SHA-181848675c9d7...
MD533c335bc27e2...
TLSHcb22b47a5c5c...
ssdeep192:wkX/QKrr...
Size10,245 bytes
Install
Assessments (1)
AI Agent Traps ↗Arbitrary Python Code Execution via infsh/python-executorcriticalcommand execution
The skill explicitly allows the `infsh/python-executor` tool, which can execute arbitrary Python code. This grants the agent (and potentially an attacker via prompt injection) the ability to run any Python script within the execution environment, leading to potential system compromise if not properly sandboxed.
100% confidence
allowed-tools: Bash(infsh *)
infsh app run infsh/python-executor --input '{ "code": "..." }'Potential Command Injection/SSRF via infsh tool argumentshighprompt injection
The skill uses various `infsh` tools (`search-assistant`, `agent-browser`, `extract`) where input parameters like `query` and `url` are derived from user input. If these tools or the `infsh` wrapper do not properly sanitize inputs, an attacker could inject malicious commands or trigger Server-Side Request Forgery (SSRF) to access internal resources.
80% confidence
infsh app run tavily/search-assistant --input '{ "query": "..." }'
infsh app run infsh/agent-browser --input '{ "url": "..." }'File Write Capabilitymediumdata exfiltration
The `infsh/python-executor` and `infsh/stitch-images` tools are capable of writing files to the agent's local filesystem (e.g., `.png` images). This capability, if combined with arbitrary code execution or path traversal vulnerabilities, could be used for data exfiltration or to establish persistence.
90% confidence
plt.savefig("positioning-map.png", dpi=150)
infsh app run infsh/stitch-images --input '{ "images": [...] }'Broad Tool Access via Bash(infsh *)mediumresource abuse
The `allowed-tools: Bash(infsh *)` directive grants the agent broad access to execute any command prefixed with `infsh`. While intended as a sandbox, the security relies entirely on the `infsh` CLI and its ecosystem of apps, which could be vulnerable to bypasses or supply chain attacks.
90% confidenceline 4
allowed-tools: Bash(infsh *)
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/tool-belt/skills/competitor-teardown)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/tool-belt/skills/competitor-teardown"><img src="https://mondoo.com/ai-agent-security/api/badge/github/tool-belt/skills/competitor-teardown.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/tool-belt/skills/competitor-teardown.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow