Case Study Writing
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned for case study writing, but it relies on an external CLI, login, web-search provider calls, and a Python execution helper that users should verify and scope carefully.
Before installing, verify the inference.sh CLI installer and checksum, log in only with an appropriate account, keep infsh commands limited to the documented research/charting workflow, and avoid sending confidential customer data to external search or execution apps unless approved.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's suggested CLI runs code from an external domain on the user's machine.
The Quick Start asks the user to install an external CLI by piping a remote script into a shell. This is disclosed setup for the skill's inference.sh workflow, but it is still a supply-chain-sensitive installation pattern.
curl -fsSL https://cli.inference.sh | sh && infsh login
Only run the installer if you trust the provider; prefer the documented manual install and checksum verification path where possible.
The workflow may operate under the user's inference.sh account once logged in.
The skill expects the user to authenticate to the inference.sh CLI. This is normal for an external service integration, but it means the skill workflow may use an account/session outside the local agent.
infsh login
Use an account with appropriate scope and avoid sharing credentials or session details in prompts.
If invoked, the agent could use the inference.sh CLI beyond the exact examples in the instructions.
The skill grants access to any infsh command rather than only the specific documented search and visualization commands. The examples are purpose-aligned, but the wildcard is broader than the visible workflow requires.
allowed-tools: Bash(infsh *)
Keep usage limited to the documented research and visualization commands, and review unfamiliar infsh actions before allowing them.
Chart generation may execute Python code and create files as part of the workflow.
The skill shows using an inference.sh Python executor to generate a chart and write an output file. This is disclosed and aligned with the data-visualization purpose, but it is still code execution via an external helper.
infsh app run infsh/python-executor --input '{ "code": "import matplotlib.pyplot as plt ... plt.savefig(\"results-chart.png\", dpi=150)" }'Use simple, reviewable chart code and avoid running generated or user-supplied code that has not been inspected.
Search terms, and potentially any customer details included in them, may be sent to external services.
The skill sends research queries to an external search assistant through inference.sh. This is disclosed and purpose-aligned, but it is an external provider data flow.
infsh app run tavily/search-assistant --input '{ "query": "SaaS customer onboarding challenges 2024 statistics" }'Do not include confidential customer metrics, names, or quotes in external search queries unless sharing them is permitted.