ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

App Store Screenshots

v0.1.5

App Store and Google Play screenshot creation with exact platform specs. Covers iOS/Android dimensions, gallery ordering, device mockups, and preview videos....

2· 857·1 current·1 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the SKILL.md describes creating App Store/Play screenshots and repeatedly shows commands that call the infsh CLI to generate images and stitch assets. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
The instructions are narrowly scoped to generating screenshots and preview videos (prompts for image generation, stitching images, size guidance, gallery ordering). However, they explicitly instruct installing and using the infsh CLI which will accept arbitrary prompts and inputs — that CLI may read or upload images you pass to it. The skill does not instruct reading unrelated local files or environment variables, but use of the external CLI expands runtime behavior beyond just locally creating images.
!
Install Mechanism
There is no internal install spec; SKILL.md tells the user to run curl -fsSL https://cli.inference.sh | sh. Piping a remote script to sh and downloading binaries from dist.inference.sh is a high-risk install pattern because arbitrary code/binaries are fetched and executed. The doc mentions SHA-256 checksum verification and a manual check URL, which helps if followed, but the skill does not enforce or automate verification — relying on user diligence. Also, the skill's source/homepage are unknown, increasing trust risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate for an instruction-only screenshot generation skill.
Persistence & Privilege
always is false and there's no install spec that writes persistent agent config. The skill does not request elevated privileges or persistent presence in the agent by itself.
Scan Findings in Context
[no_code_files_to_scan] expected: The regex scanner found nothing to analyze because this is an instruction-only skill (only SKILL.md). Absence of findings is expected but not an indication of safety; the SKILL.md itself instructs fetching and running external code.
What to consider before installing
This skill appears to do what it says (generate app screenshots) but it tells you to install and run a third‑party CLI fetched from the web. Before installing: (1) inspect the installer script at https://cli.inference.sh — do not run it blind; (2) verify the binary checksums manually against the published checksums; (3) prefer manual download of the binary and run it in a sandbox or disposable VM if possible; (4) avoid sending private or proprietary screenshots to remote services unless you trust their privacy policy; (5) check who controls the inference.sh/dist.inference.sh domains and look for a project homepage or source repo; (6) if you cannot verify the publisher/trust, use local image tools (Photoshop, Figma, local scripts) or vetted services instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97df25k8xhr5essjxwvx0f16181dr12

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments