Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image To Video
v0.1.5Still-to-video conversion guide: model selection, motion prompting, and camera movement. Covers Wan 2.5 i2v, Seedance, Fabric, Grok Video with when to use ea...
⭐ 0· 992·13 current·15 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md content: it is a how-to for animating images and lists concrete model app IDs. However, the runtime instructions depend on an external CLI (infsh) even though the registry declares no required binaries; that dependency is implicit rather than declared.
Instruction Scope
Runtime instructions tell the agent to download/run a remote install script (curl https://cli.inference.sh | sh) and then run infsh app run ... and infsh login. The SKILL.md does not explicitly warn that running model inference will likely upload images to a remote provider, nor does it explain what credentials or data are sent. The instructions therefore expand scope beyond simple local guidance into remote execution and potential data transfer without declaring that behavior.
Install Mechanism
Although the doc claims the installer verifies SHA-256 and provides a checksums URL, the Quick Start recommends piping the remote install script directly into sh (curl | sh), which bypasses manual verification and is a high‑risk install pattern. The install source is a third‑party domain (inference.sh / dist.inference.sh) rather than a clearly established package registry; this elevates risk compared with no install or packaged installs.
Credentials
The registry lists no required environment variables or credentials, yet the instructions call out 'infsh login' (implying credentials) and will likely send local image files to a remote inference service. This is an incoherence: the skill implicitly requires account/authentication and network access but the metadata does not declare or justify any credentials or data-flow implications.
Persistence & Privilege
always:false and no code files in the skill means it does not demand platform-level persistent privileges. However, the recommended install writes a third‑party binary (infsh) to the system, creating a persistent CLI that the agent (or user) can invoke later — a modest persistence footprint that the skill does not disclose in registry metadata.
What to consider before installing
This skill is a plausible and useful how-to for animating images, but it relies on a third‑party CLI (infsh) installed by piping a remote script into sh — a risky pattern. Before installing or running it: (1) avoid running curl | sh blind; prefer downloading the installer and verifying the SHA‑256 checksum yourself against the published checksums URL, (2) inspect the install script (and any binary) or run it in a sandbox/VM, (3) assume infsh will upload images and require an account/login — do not use sensitive or private images until you confirm the provider's privacy/policy, (4) ask the skill author for source/homepage or a reproducible manual install path and explicit details about what data is sent, and (5) if you need strong privacy, prefer local/offline tools or self‑hosted inference rather than an unknown remote provider. If the author can provide a verified release URL, reproducible install steps, and an explicit disclosure about authentication and data upload, this would reduce the risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97anwj1bgdztz1a5gqh2by04n81dhcy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.