ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Og Image Design

v0.1.5

Open Graph and social sharing image design with platform specs, text placement, and branding. Covers OG meta tags, Twitter cards, LinkedIn previews, and dyna...

0· 739·3 current·3 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md shows how to produce social/OG images by calling the infsh (inference.sh) HTML-to-image app. There are no unrelated env vars, binaries, or install requirements in the bundle.
Instruction Scope
The instructions explicitly tell the agent to download and run https://cli.inference.sh and to use `infsh app run ...` with inlined HTML. The guidance does not request reading local files or unrelated environment variables. However, the examples will transmit the provided HTML/content to inference.sh (a remote service) which has privacy implications; the SKILL.md does not detail what is sent, retained, or logged by that service.
!
Install Mechanism
There is no formal install spec in the skill bundle, but the SKILL.md advises piping a remote script into sh (curl | sh) that downloads a binary from dist.inference.sh. While the document claims checksum verification is available, executing a remote install script is higher risk than a vetted package manager; users should manually verify checksums and the publisher before running the installer.
Credentials
The skill declares no required env vars or credentials. In practice `infsh login` implies interactive authentication or tokens stored outside the skill, but the SKILL.md does not document required credentials or how they are stored. That omission is not necessarily malicious but users should expect to provide/authorize credentials for the remote service.
Persistence & Privilege
The skill does not request permanent presence (always:false), contains no code files, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is appropriate for an instruction-only helper.
Assessment
This skill appears to do what it says: generate Open Graph/social images using the inference.sh CLI. Before installing or using it: 1) Treat `curl https://cli.inference.sh | sh` as potentially risky — prefer to download the installer and verify the SHA-256 checksum from the provided checksums.txt before running. 2) Expect that example HTML and image content will be sent to inference.sh; do not send sensitive data (secrets, private user data, proprietary HTML) unless you trust their privacy policies. 3) `infsh login` implies credentials or tokens — confirm how those are stored and revoke them if needed. 4) If you prefer to avoid remote services, consider local HTML-to-image tools or a vetted package manager installation. If you want a deeper assessment, provide the actual installer script (https://cli.inference.sh) and the dist.inference.sh checksums page so I can inspect what's being downloaded and how verification is performed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9700hcyajnp6fqnq19ag6txx181dp4t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments