Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Logo Design Guide
v0.1.5Logo design principles and AI image generation best practices for creating logos. Covers logo types, prompting techniques, scalability rules, and iteration w...
⭐ 1· 925·3 current·3 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (logo design + AI image generation best practices) align with the SKILL.md content: prompting tips, scalability rules, and examples that call an image-generation CLI. Recommending a CLI (inference.sh) to run models is coherent with the stated purpose.
Instruction Scope
The SKILL.md instructs running networked shell commands (curl | sh https://cli.inference.sh) and using 'infsh login' and model execution. These steps cause network activity and install a third-party binary; they also reference local files (e.g., path/to/best-logo.png) for upload. The instructions do not ask for unrelated system files, but they grant the skill the ability to fetch and execute remote code and to perform authenticated operations without declaring how credentials are supplied.
Install Mechanism
There is no registry install spec, but the guide explicitly tells users/agents to run a remote installer via curl | sh against cli.inference.sh and to download binaries from dist.inference.sh. Pipe-to-sh with network downloads is a high-risk install pattern even if the script claims checksum verification. The guide points to a checksums file but does not embed or automate verification, and the domains are not standard package hosts (e.g., GitHub releases) listed in the skill metadata.
Credentials
The skill declares no required environment variables or credentials, which is good. However, it instructs 'infsh login' and running third-party models (bytedance, falai, xai, etc.), which typically require service credentials or accounts; the SKILL.md does not document where those credentials come from or which env vars/configs the agent will need, creating a gap between claimed and operational requirements.
Persistence & Privilege
The skill is instruction-only, has no install spec in the registry, and 'always' is false. It does not request persistent elevated privileges in its metadata. The main runtime risk is that its instructions ask the agent to install an external CLI, but that is an action the user/agent must perform rather than a registry-enforced persistent presence.
What to consider before installing
This guide itself is coherent for logo design, but it instructs installing and running a third-party CLI via curl | sh and performing 'infsh login' without declaring required credentials. Before installing or running these commands: (1) verify the cli.inference.sh and dist.inference.sh domains and their reputation; (2) avoid piping remote scripts directly to sh — download the script, inspect it, and verify checksums manually against the provided checksums URL; (3) confirm what account or API key 'infsh login' requires and never expose unrelated credentials; (4) prefer running such installation steps manually (not automatically) and run them in an isolated environment if you need to test; (5) if you want an instruction-only skill without external installs, ask the author to remove the automatic-install instructions or provide a vetted package source (e.g., official GitHub releases or a widely-trusted package manager). If you don't trust the external CLI, treat the skill as read-only guidance rather than an automation recipe.Like a lobster shell, security has layers — review code before you run it.
latestvk971fmmp2jgnsc3h6stt492nd181cbfp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.