Landing Page Design
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: landing-page-design Version: 0.1.5 The `SKILL.md` file contains instructions for the AI agent to execute `curl -fsSL https://cli.inference.sh | sh` and `npx skills add ...`. While these are common patterns for installing CLI tools and managing dependencies, they represent significant supply chain vulnerabilities. The `curl | sh` command allows arbitrary code execution from a remote server (`cli.inference.sh`), and `npx` can download and execute arbitrary packages from npm. These actions, if executed by the agent, introduce a high risk of compromise if the remote sources are malicious or compromised, even though there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, persistence) from the skill author.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run external provider jobs through infsh, which could send prompts externally or use the user's account.
The skill allows the agent to run the infsh CLI. This fits the stated image-generation and research purpose, but it is broad within that third-party tool.
allowed-tools: Bash(infsh *)
Review infsh commands before running them, especially anything that could incur cost, publish content, or use non-example inputs.
Installing the CLI gives a third-party binary access to run on the user's machine.
The quick start uses a remote installer for an external CLI. It is user-directed and disclosed, but it requires trusting the external distribution source.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the official source, prefer manual installation when possible, and verify the checksum before running the CLI.
Generated images or searches may be tied to the user's external account and any associated billing or usage limits.
The skill expects authentication to the inference.sh CLI. This is normal for the integration, but it means provider calls may use the user's account.
infsh login
Use an account and permissions appropriate for this task, and check provider billing and data-use settings.
If real landing-page copy, company strategy, or customer information is placed in prompts, that information may be sent to third-party services.
The skill sends prompts or search queries to external provider apps through infsh. This is disclosed and purpose-aligned, but data boundaries are not further detailed.
infsh app run tavily/search-assistant --input '{ "query": "best SaaS landing page examples 2024 conversion rate" }'Avoid including confidential business or customer data in prompts unless the external provider's privacy and retention terms are acceptable.