Logo Design Guide
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: logo-design-guide Version: 0.1.5 The skill is classified as suspicious primarily due to the `SKILL.md` instructing users to install the `inference.sh` CLI via `curl -fsSL https://cli.inference.sh | sh`. This method executes arbitrary code from a remote source, posing a significant supply chain vulnerability and risk to the user's system, even though it's an instruction for the user and not a prompt injection against the AI agent. Additionally, the `allowed-tools: Bash(infsh *)` permission grants the AI agent broad execution capabilities for the `infsh` command, which, depending on the full scope of `infsh`'s subcommands, could represent a risky capability beyond the benign image generation examples provided.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer could change the local environment by installing the inference.sh CLI.
The skill tells users to install a remote CLI by piping a downloaded script to a shell. This is a disclosed, purpose-aligned setup step, but it requires trusting the remote installer and distribution source.
curl -fsSL https://cli.inference.sh | sh && infsh login
Install only if you trust inference.sh; prefer the documented manual install and checksum verification before logging in.
Using the skill may create remote generation jobs and consume provider credits or quota.
The skill allows Bash use for infsh commands, which can launch external image-generation jobs. This is central to the logo-generation purpose and is scoped to the named CLI.
allowed-tools: Bash(infsh *)
Confirm before running batches or expensive models, especially when examples use repeated generation or no-wait job submission.
Generated images may be tied to the user's inference.sh account and may use that account's permissions, credits, or billing.
The skill requires logging in to the inference.sh CLI, meaning it will use an external account/session. This is expected for a provider-backed image-generation workflow and no unrelated credential use is shown.
infsh login
Use an account intended for this work and review the service's billing, permissions, and session-storage behavior.
Brand concepts, prompts, or uploaded logo images may leave the local machine and be processed by external services.
The workflow sends prompts, and in the upscaling example a local image path, to external inference.sh/provider apps. This is disclosed and purpose-aligned for AI image generation.
infsh app run falai/flux-dev-lora --input '{ "prompt": "flat vector logo ..." }'Avoid sending confidential client branding or unreleased assets unless the relevant provider data policies are acceptable.