Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Character Design Sheet
v0.1.5Character consistency across AI-generated images with reference sheets and LoRA techniques. Covers turnaround views, expression sheets, color palettes, and s...
⭐ 0· 849·1 current·1 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (character design sheets, LoRA, turnarounds, expressions, palette sheets) match the SKILL.md content: all examples use the infsh CLI to run a LoRA-backed imaging app and a stitch utility. The commands and example workflows are coherent with the stated purpose.
Instruction Scope
The SKILL.md stays within the domain of generating and stitching images and creating reference sheets. However, it instructs the agent to install and use the infsh CLI and to run 'infsh app run' commands which will transmit prompts and image files to the inference service — so data (including any images you reference or upload) will leave the local machine to that external service. The instructions do not ask the agent to read unrelated local files or environment variables.
Install Mechanism
Although the skill has no formal install spec, the SKILL.md explicitly recommends running 'curl -fsSL https://cli.inference.sh | sh' which downloads and executes a remote install script. That pattern (pipe-to-sh) is a high-risk install method because it runs code fetched at runtime; the document claims checksum verification is available on dist.inference.sh, but the instructions still encourage an automated remote install without showing explicit local verification steps. This is a legitimate functionality choice but raises install-time risk.
Credentials
The skill does not request environment variables, credentials, or config paths in metadata. The commands shown do not reference secrets or unrelated credentials. Requiring a CLI and a remote account/session (via 'infsh login') is proportionate to using a hosted image-generation service.
Persistence & Privilege
The skill metadata doesn't request persistent or privileged presence (always:false). There is no indication in SKILL.md that it will change other skills' configurations or system-wide settings. The usual autonomous invocation is allowed (platform default).
What to consider before installing
This skill appears to be what it says (instructions to use the infsh CLI to generate and stitch character images), but be careful before running its install or demo commands:
- Avoid blindly running 'curl | sh'. Instead, fetch the installer script and checksum manually, inspect the script, and verify the SHA-256 checksums from the referenced dist.inference.sh/checksums.txt before running anything.
- Expect that prompts and any image files you pass to 'infsh app run' will be uploaded to the inference.sh service; do not upload private or sensitive images or secrets.
- Check what 'infsh login' stores (local token files) and where they are written; use a throwaway account if you need to test.
- Prefer installing the CLI from a package manager or official release asset where possible, or follow the project's manual install & verification instructions rather than the one-line curl pipeline.
If you want a lower-risk evaluation, ask the skill author for: (1) a link to the exact installer release asset (not just the 'curl | sh' endpoint), (2) the published SHA-256 checksum and a linkable origin for it, and (3) a privacy/Data Processing policy for the inference.sh service describing how prompts and images are stored or used.Like a lobster shell, security has layers — review code before you run it.
latestvk97avz5crx3qdwajwm1tcsf8ms81dtsd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.