ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flux Image

v0.1.5

Generate images with FLUX models (Black Forest Labs) via inference.sh CLI. Models: FLUX Dev LoRA, FLUX.2 Klein LoRA with custom style adaptation. Capabilitie...

2· 1.8k·6 current·7 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md shows how to install and use the inference.sh CLI to run FLUX image models. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions are narrowly scoped to installing the inference.sh CLI and invoking infsh app run/sample commands; they do not ask the agent to read arbitrary system files or unrelated credentials. However, the doc tells the user to run 'infsh login' (an interactive auth step) and to pipe a remote install script to sh, which are broader actions than what the metadata declares.
!
Install Mechanism
There is no formal install spec in the registry metadata, but SKILL.md explicitly recommends running 'curl -fsSL https://cli.inference.sh | sh' (download-and-execute from a service domain). While the doc claims checksum verification is available, piping a remote script to sh (and relying on a project-hosted binary distribution) is higher risk than using a reviewed package manager. Verify checksums and inspect the install script before running.
Credentials
The skill declares no required environment variables or credentials, which aligns with the metadata. But the instructions include 'infsh login' (implying account credentials or tokens will be used/stored). The skill does not declare where such credentials will be stored or what scope they have — the login step is not reflected in the declared requirements.
Persistence & Privilege
The skill is instruction-only and not marked always:true. It does not request elevated or persistent platform-wide privileges in the metadata. Installing the CLI would create a local binary (normal for a CLI) but that is a user action, not an automatic persistent modification by the skill.
What to consider before installing
This skill appears to do what it says (drive the inference.sh CLI to run FLUX models), but pay attention to the install and auth steps before proceeding. Don't blindly run 'curl https://cli.inference.sh | sh' — download and inspect the script first and verify the SHA-256 checksums linked in the SKILL.md. Expect to provide/login with an inference.sh account or token; confirm where the CLI stores that token and whether you trust the service. If you prefer lower risk, install the CLI from a package manager (if available) or run it in a sandboxed environment or container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq3888zd069p3nr6e5aw2ws81d6m7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments