Customer Persona
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: customer-persona Version: 0.1.5 The skill bundle is designed for creating customer personas using the `inference.sh` CLI tool. The `SKILL.md` provides clear, step-by-step instructions for the AI agent, including commands for web search and AI image generation, all executed via `infsh`. The `allowed-tools` permission `Bash(infsh *)` is appropriately scoped for the skill's functionality. While the `curl -fsSL https://cli.inference.sh | sh` installation method is a common practice for CLI tools, it represents a supply chain risk if the remote server were compromised. However, this is an installation instruction for a dependency, not an act of malice by the skill itself, and the skill provides transparency notes about the script's function. There is no evidence of prompt injection, data exfiltration, persistence, or other malicious intent within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI means trusting code downloaded from inference.sh.
The skill documents installation through a remote shell script for a third-party CLI. This is disclosed and central to the skill, but users should verify the installer before running it.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the manual install and checksum verification path if you want stronger assurance before installing.
The skill may use your logged-in inference.sh account to run provider apps.
The skill expects an authenticated inference.sh session, while the registry metadata lists no primary credential or required environment variables.
infsh login
Confirm which inference.sh account is logged in and understand any account permissions or usage costs before invoking the skill.
If invoked too broadly, the agent could run inference.sh commands beyond the examples shown.
The allowed tool pattern permits broad use of the `infsh` CLI, while the documented workflow only needs specific `infsh app run` calls for search and image generation.
allowed-tools: Bash(infsh *)
Review agent actions before execution and prefer using only the documented search and avatar-generation commands.
Market, customer, or audience details included in prompts may be sent to third-party services.
The skill routes persona research queries and avatar prompts through external apps/providers. This is purpose-aligned and disclosed, but it is still an external data flow.
infsh app run tavily/search-assistant ... infsh app run exa/search ... infsh app run falai/flux-dev-lora
Avoid including confidential customer data, proprietary strategy, or personal information unless you are comfortable sending it to those providers.