ClawHub
Back to skill
v0.1.5

Ai Marketing Videos

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

The skill is a coherent marketing-video helper, but users should notice that it depends on installing and logging into an external cloud CLI.

GuidanceThis skill appears purpose-aligned and not malicious based on the provided artifacts. Before installing, make sure you trust inference.sh, consider manually verifying the CLI installer, and avoid sending confidential campaign or product information unless you are comfortable with the provider handling it.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -fsSL https://cli.inference.sh | sh && infsh login

The setup directs users to execute a remote installer script for the external CLI. This is central to the skill's purpose and user-directed, but it is still an installer provenance and trust decision.

User impactIf the user runs the setup command, they execute code from inference.sh outside the reviewed skill artifacts.
RecommendationInstall only if you trust inference.sh; prefer the documented manual install and checksum verification when possible.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: Bash(infsh *)

The skill permits Bash calls to the `infsh` CLI. That matches the stated workflow, but it allows a broad set of inference.sh CLI operations rather than narrowly limiting execution to one model.

User impactAn agent using the skill may run inference.sh commands that consume cloud resources or affect outputs in the user's inference.sh account.
RecommendationReview generated `infsh` commands before running workflows that may incur cost, upload content, or create media assets.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh login

The skill expects the user to authenticate to inference.sh. This is appropriate for a cloud generation service, but it means the skill operates through the user's external account context.

User impactGenerated jobs may use the user's inference.sh account, quotas, or billing arrangement.
RecommendationUse an account with appropriate limits and monitor usage if video generation has associated costs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh app run google/veo-3-1-fast --input '{ "prompt": "Sleek product reveal video..." }'

The examples submit prompts to external model apps through inference.sh. This is the expected service flow, but user-provided product, brand, or campaign details may leave the local environment.

User impactMarketing prompts, product descriptions, scripts, or media URLs may be shared with inference.sh and underlying model providers.
RecommendationAvoid including confidential product plans, unreleased campaign details, or sensitive customer data unless the provider's privacy terms are acceptable.