ClawHub
Back to skill
v0.1.5

Ai Video Generation

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This skill is a coherent AI video-generation wrapper for the inference.sh CLI, with user-noticeable setup, login, and external media-processing considerations.

GuidanceThis looks appropriate for its stated purpose. Before installing, verify the inference.sh CLI installer, log in only with the account you intend to use, review any costs or quotas, and avoid sending sensitive images, audio, video, or private URLs unless you trust the service handling them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -fsSL https://cli.inference.sh | sh && infsh login

The skill tells users to install a remote CLI installer before use. This is aligned with the stated CLI-based purpose, but it relies on a remote installation source that is not included as an install spec artifact.

User impactRunning the setup command would execute installer code from inference.sh on the user's machine.
RecommendationInstall only if you trust inference.sh, prefer the documented manual install/checksum verification path, and review any optional related skill installs separately.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh login

The setup flow includes logging into inference.sh. That is expected for a hosted AI inference service, but users should recognize that account authorization may be needed even though the registry metadata lists no primary credential.

User impactThe CLI may act under the user's inference.sh account and could consume service access or credits when generating media.
RecommendationUse the intended inference.sh account, understand any costs or quotas, and avoid sharing account access with untrusted agents or environments.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh app run bytedance/omnihuman-1-5 --input '{ "image_url": "https://portrait.jpg", "audio_url": "https://speech.mp3" }'

The examples pass prompts and media URLs to external inference.sh apps and model providers. This is central to video generation, but it means user-provided media or links may leave the local environment.

User impactPrivate prompts, images, videos, or audio URLs provided to the CLI could be processed by external services.
RecommendationDo not submit sensitive or private media unless you are comfortable with inference.sh and the relevant model provider handling it; review their privacy and retention terms.