Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Landing Page Design
v0.1.5Landing page conversion optimization with layout rules, hero section design, and CTA psychology. Covers above-the-fold formula, social proof placement, mobil...
⭐ 0· 841·4 current·4 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (landing page design, hero, CTA, conversion) match the content of SKILL.md and the example commands (AI-generated hero images, search assistant) are relevant to producing landing page assets and research.
Instruction Scope
SKILL.md explicitly instructs running a remote installer (curl -fsSL https://cli.inference.sh | sh) and then using infsh app run commands that call external services. Those instructions go beyond passive prose: they direct execution of a downloaded script and networked commands that will transmit data to third-party services. The doc does not request unrelated local files or env vars, but it does instruct potentially sensitive actions (installer execution, login to remote service).
Install Mechanism
Although the registry lists no install spec, the SKILL.md tells users to install a CLI by piping a remote script to sh. The doc claims the script verifies checksums and downloads from dist.inference.sh, but piping remote script execution is high-risk unless the user independently verifies checksums and source integrity. The lack of a declared, auditable install spec in the registry is an inconsistency.
Credentials
The skill does not declare or require environment variables or credentials in the registry. The instructions do call 'infsh login', which implies account credentials will be used with the external service — this is proportional to using a third-party CLI but is not documented in the registry metadata.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and instruction-only; any persistence (installing the CLI) would be initiated by the user/agent per the instructions, not enforced by the registry.
What to consider before installing
This skill's content for landing-page design appears legitimate, but the runtime instructions tell you to download and execute a remote installer (curl | sh) and to log into a third-party CLI (inference.sh). Before installing or running those commands: 1) do NOT run curl | sh blindly — fetch the installer script first and inspect it, and independently verify SHA-256 checksums from a trusted source; 2) prefer manual installation steps (download binary, verify checksum, then run) rather than piping to a shell; 3) confirm the authenticity of dist.inference.sh and the CLI project (look for a public repo, release artifacts, and HTTPS certificate validity); 4) understand what data will be sent to the external service (images, prompts, site URLs), and avoid sending any sensitive content; 5) if you want this skill to be fully auditable, ask the publisher for an explicit install spec or source repository and for any required env/credential details to be documented in the registry. If you cannot verify the CLI's source and checksums, treat the install step as high risk and avoid running it.Like a lobster shell, security has layers — review code before you run it.
latestvk97bfm96xvsmb9yw8rrrkmj9q181cy2h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.