App Store Screenshots
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: app-store-screenshots Version: 0.1.5 The skill instructs the AI agent to execute `curl -fsSL https://cli.inference.sh | sh` in SKILL.md. This command downloads and executes an arbitrary shell script from an external URL, posing a significant supply chain risk and a potential Remote Code Execution (RCE) vulnerability. While the documentation attempts to explain the script's benign purpose, this method is inherently risky as a compromise of the remote server could lead to arbitrary code execution on the agent's host. No other clear malicious intent, such as data exfiltration or persistence, is observed within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI runs code from an external source on the user's machine.
The skill tells users to install a third-party CLI by piping a remote script into the shell. This is disclosed and purpose-aligned, but it is still a supply-chain step users should inspect or verify.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the manual install and checksum verification path if possible, and only install the CLI from a trusted network and account context.
The CLI may operate under the user's inference.sh account and could consume quota or access that account's resources.
The skill requires authentication to the inference.sh CLI. This is expected for using the external service, and the artifacts do not show token logging, hardcoded credentials, or unrelated account access.
infsh login
Log in with the intended account only, and review account permissions, billing, and generated commands before use.
The agent could run different infsh subcommands within the allowed pattern, potentially invoking external jobs or using service credits.
The skill permits Bash execution of infsh commands. That matches the screenshot-generation purpose, but it is broader than a single fixed workflow.
allowed-tools: Bash(infsh *)
Review infsh commands before approving them, especially commands that upload files, create videos, or start paid inference jobs.
Prompts, screenshots, mockups, or app UI images may be sent to inference.sh or underlying model providers.
The skill routes screenshot and preview-video generation through an external provider CLI. This is expected for the skill, but user prompts and referenced image assets may leave the local environment.
Create app store screenshots and preview videos via [inference.sh](https://inference.sh) CLI.
Do not include secrets, private user data, unreleased confidential UI, or customer information in prompts or uploaded images unless that sharing is acceptable.