Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linkedin Content
v0.1.5LinkedIn post writing with hook formulas, formatting rules, and engagement patterns. Covers post types, algorithm signals, character limits, and content pill...
⭐ 0· 1.2k·6 current·6 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate LinkedIn content and the SKILL.md provides extensive, coherent guidance for that purpose. However, the instructions explicitly rely on an external CLI (infsh/inference.sh) for research and posting, yet the registry lists no required binaries or install spec — an inconsistency between claimed capabilities and declared requirements.
Instruction Scope
The SKILL.md instructs running networked commands (curl | sh https://cli.inference.sh, then infsh login and infsh app run ...) which will fetch and execute a third-party binary and perform networked actions (searching, cross-posting). Those instructions go beyond pure offline text-generation guidance and may cause the agent to prompt for or transmit credentials to external services (e.g., infsh login, x/post-create). The skill does not document what credentials or endpoints are actually required.
Install Mechanism
The recommended install uses a piped shell install (curl -fsSL https://cli.inference.sh | sh) that downloads a binary from dist.inference.sh. While the SKILL.md claims SHA-256 checksum verification is available, a download-from-unknown-domain pattern is higher risk (archive/binary will be written to disk and executed). The registry provides no formal install spec to let operators vet the package ahead of time.
Credentials
The skill declares no required environment variables or credentials, yet the instructions call out 'infsh login' and cross-posting apps (e.g., x/post-create) which will require authentication. The absence of declared credential requirements is a proportionality mismatch — the skill may prompt for or store secrets without this being reflected in metadata.
Persistence & Privilege
always is false and the skill is instruction-only with no install spec in the registry. It does not request persistent privileges or modify other skills. The main persistence risk comes from installing the external CLI described in the instructions, not from the skill metadata itself.
What to consider before installing
This skill appears to be a legitimate LinkedIn content guide, but it directs you to download and run a third‑party CLI (inference.sh) via a curl|sh installer and to 'infsh login' — actions that will execute remote code and require credentials. Before installing or running anything: 1) verify the developer/source (homepage or repo) and publisher identity; 2) prefer downloading a signed release or verifying SHA-256 checksums from an independent release page; 3) avoid piping unknown scripts into sh — inspect the installer first; 4) be cautious about running 'infsh login' or cross-post commands without understanding where your credentials are stored and what scopes are requested; 5) ask the publisher to include a formal install spec and to declare required credentials in the registry so the dependency/privilege picture is clear. If you cannot verify the CLI's provenance, treat the install step as higher risk and consider using purely local/manual drafting instead.Like a lobster shell, security has layers — review code before you run it.
latestvk9762nrg3vhp2kfcbc2tg76dqh81cqj3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.