Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Image Generation
v0.1.5Generate AI images with FLUX, Gemini, Grok, Seedream, Reve and 50+ models via inference.sh CLI. Models: FLUX Dev LoRA, FLUX.2 Klein LoRA, Gemini 3 Pro Image,...
⭐ 0· 4.5k·36 current·39 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description promise (generate images via inference.sh and many models) matches the SKILL.md examples and commands (infsh app run ...). No unrelated credentials, binaries, or filesystem access are requested in the manifest.
Instruction Scope
The SKILL.md explicitly tells the agent to curl a remote install script and run infsh (curl -fsSL https://cli.inference.sh | sh && infsh login) and to run infsh app commands and npx to add other skill packages. These instructions are within scope for a CLI-driven image-generation skill, but they direct the agent to download and execute code and to run login flows (which will exchange credentials/token data). The doc does not instruct any unrelated data collection, but it does give broad discretion to run arbitrary infsh and npx commands.
Install Mechanism
There is no registry-level install spec; the runtime install is a curl|sh installer hosted at cli.inference.sh which downloads platform binaries from dist.inference.sh. curl|sh install patterns are common but higher risk because they execute remote code. The SKILL.md claims SHA-256 verification and links to checksums, but verification depends on the installer implementation and the user following the manual verification steps. Installer provenance (no homepage, unknown source in registry metadata) increases uncertainty.
Credentials
The skill declares no required env vars or credentials, which is consistent with an instruction-only wrapper around infsh. However, many referenced models (e.g., Google Gemini, xAI Grok) typically require authenticated access; the SKILL.md relies on 'infsh login' rather than declaring which credentials or scopes will be used. This omission is not necessarily malicious but leaves ambiguity about what credentials/integrations the CLI will request and store.
Persistence & Privilege
The skill is instruction-only and does not set always:true or request persistent system-wide privileges. It instructs the user/agent to install a CLI and optionally add other skills, but it does not itself request persistent inclusion or modify other skills' configs in the provided content.
Assessment
This skill appears to be what it claims: documentation for using the inference.sh CLI to run many image models. Before installing, verify you trust the inference.sh project and the binaries at dist.inference.sh. Prefer manual verification of checksums instead of piping curl into sh. Be aware 'infsh login' will involve authentication and the CLI may store tokens locally; check what scopes/credentials it requests. If you need stronger assurance, inspect the install script at https://cli.inference.sh and the checksums at https://dist.inference.sh/cli/checksums.txt, or run the installer in an isolated environment (VM/container) first.Like a lobster shell, security has layers — review code before you run it.
latestvk976emm478tr7h5f56k4tjv03581dm7e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.