Email Design
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a mostly instruction-only email design guide, with disclosed use of an external inference.sh CLI for generating email visuals.
This skill appears safe to install as an email design aid, but only run the inference.sh installer and login flow if you trust that provider. Do not send sensitive customer data, secrets, or confidential campaign details to the external image-generation command unless that use is approved.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this setup command installs a third-party CLI on the user's machine.
The Quick Start recommends installing a remote CLI via a shell pipe. This is disclosed and user-directed, but it depends on trusting the external installer source.
curl -fsSL https://cli.inference.sh | sh && infsh login
Verify the inference.sh installer and checksum information before running the command, or use the documented manual installation path.
The agent may use the infsh CLI as part of email visual generation workflows.
The skill grants the agent permission to run infsh CLI commands. This is aligned with the stated image-generation purpose, but users should understand that the integration is not limited to one exact command in the artifact.
allowed-tools: Bash(infsh *)
Use this skill when you are comfortable with the agent invoking inference.sh commands, and review generated commands before approving any unexpected provider action.
Using the image-generation feature may connect the agent's workflow to the user's inference.sh account.
The workflow asks the user to authenticate to inference.sh. This is expected for the external provider integration, and the artifacts do not show hardcoded, logged, or unrelated credential use.
infsh login
Authenticate only to the intended inference.sh account and avoid sharing credentials directly in prompts.
Email copy, branding, or campaign details included in generated HTML may be processed by the external provider.
The example sends HTML input to an external inference.sh app to generate an image. This is purpose-aligned and disclosed, but the content supplied to the command may leave the local environment.
infsh app run infsh/html-to-image --input '{ "html": "<div style=..." }'Avoid including confidential customer data, unreleased campaign details, or secrets in inputs sent to external generation services unless permitted by your policy.