ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Explainer Video Guide

v0.1.5

Explainer video production guide: scripting, voiceover, visuals, and assembly. Covers script formulas, pacing rules, scene planning, and multi-tool pipelines...

0· 705·2 current·2 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description (explainer video production: scripting, voiceover, visuals, assembly) align with the SKILL.md content: pacing rules, scene templates, TTS and model examples. The runtime examples all call infsh model runs, which is coherent with the stated multi-tool pipeline focus.
Instruction Scope
Instructions stay within video production scope (script formulas, scene prompts, TTS pacing, image->video workflows). They do instruct the agent/user to install and use the infsh CLI and to run infsh login, which implies contacting an external service and providing credentials; those credentials are neither declared in requires.env nor explained. The SKILL.md references local paths for images (e.g., path/to/workspace-still.png) which is expected for content pipelines.
!
Install Mechanism
The guide recommends running curl -fsSL https://cli.inference.sh | sh (pipe-to-shell) and downloading a binary from dist.inference.sh. Pipe-to-shell installs are high-risk because they execute remote code immediately. The SKILL.md claims checksum verification and links to a checksums file, but the instructions still direct an unattended pipe-to-sh flow rather than a manual, verifiable install. The install source is a third‑party domain rather than a widely-known release host; this increases risk and warrants manual verification before running.
Credentials
The skill declares no required env vars or credentials, which is consistent with being instruction-only. However, it instructs the user to run infsh login (implying account/API credentials) but does not document what credentials or scopes are needed. That omission is not necessarily malicious, but users should expect to provide/authorize external service credentials when using the CLI and should confirm what data is uploaded to the service.
Persistence & Privilege
No install spec, no code files, always:false, and no requests to modify other skills or system-wide configs. The skill does not request persistent system presence or elevated privileges.
Assessment
This skill is coherent with its purpose (video-production recipes that call a third‑party CLI). Before installing or running the suggested curl | sh, verify the authenticity of cli.inference.sh and its checksums (prefer manual download + verify SHA-256). Be cautious of running pipe-to-shell installs and of granting the external service account access (infsh login) — review what data (video frames, audio, scripts) will be uploaded and what permissions the API key/session grants. If you prefer lower risk, follow the manual install & verification links in the SKILL.md or use local tooling you already trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798f7c5jqwgwaqeqrmnc89gn81cs08

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments