Flux Image
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent image-generation skill for inference.sh, but users should notice that it installs and logs into an external CLI and sends prompts or image URLs to that service.
Before installing, confirm that you trust inference.sh, consider using the manual checksum verification path instead of blindly running the curl-to-shell installer, log in only with an account you intend the agent to use, and avoid submitting confidential images or prompts unless that is acceptable under your data-handling requirements.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI may run code from inference.sh on the local machine.
The setup path runs a remote installer script to obtain the CLI. This is disclosed and central to the skill's purpose, but users must trust the external installer source.
curl -fsSL https://cli.inference.sh | sh && infsh login
Install only if you trust inference.sh, prefer the documented manual checksum verification when possible, and review the installer source before running it.
An agent using the skill could run unexpected infsh commands if a request is ambiguous or if the user does not review command intent.
The skill can invoke any infsh CLI subcommand, not only the listed image-generation commands. This is consistent with a CLI integration but broader than a narrowly scoped wrapper.
allowed-tools: Bash(infsh *)
Review infsh commands before approving sensitive actions, and restrict tool scope to the specific app-run commands if your environment supports narrower permissions.
Generated-image requests will use the authenticated inference.sh account available to the CLI.
The skill instructs users to authenticate to inference.sh. That is expected for using the service, but it means the skill operates with an external account session.
infsh login
Use an appropriate account, understand what access the CLI receives, and avoid leaving shared environments logged into accounts you do not want agents to use.
Private prompts or image URLs provided to the skill may be processed by external services.
Prompts and image URLs are sent to an external inference app. This is disclosed and required for the stated image-generation purpose.
infsh app run falai/flux-dev-lora --input '{ "prompt": "transform to watercolor style", "image_url": "https://your-image.jpg" }'Do not send confidential images, private URLs, or sensitive prompt content unless you are comfortable with inference.sh and the underlying app handling that data.