Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Press Release Writing
v0.1.5Press release writing in AP style with inverted pyramid structure. Covers formatting, datelines, quotes, boilerplates, and fact-checking. Use for: product la...
⭐ 0· 742·1 current·1 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (AP-style press release writing, inverted-pyramid structure, quotes, boilerplates, fact-checking) aligns with the SKILL.md content. The guidance and examples are focused on press-release composition and style, and requesting research/fact-checking tools is coherent with that purpose.
Instruction Scope
The runtime instructions are narrowly scoped to writing and fact-checking: they provide templates, rules, and explicit sample commands for using the inference.sh CLI to run search/answer apps. They do instruct the agent to run networked commands that will send queries to external services (infsh apps), so any user content or claims will be transmitted externally — this is expected for research but worth noting from a privacy perspective. The instructions do not ask the agent to read unrelated local files or environment variables.
Install Mechanism
There is no formal install spec; the SKILL.md tells the user/agent to run curl -fsSL https://cli.inference.sh | sh which downloads and executes a remote install script and a binary from dist.inference.sh. That host is not a standard well-known release host (e.g., GitHub releases) in this package manifest; while the doc claims SHA-256 checksum verification, executing remote install scripts and installing third-party binaries is a higher-risk action and should be validated manually. This is the primary reason for caution.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportionate to a writing/PR assistant. However, because it relies on an external CLI for research, any text you provide (drafts, company names, sensitive details) may be sent to that external service. The skill itself does not request unrelated credentials or secrets.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. There is no indication it modifies other skills or system-wide configs. Autonomous invocation is allowed by default but not a unique red flag here.
What to consider before installing
This skill appears to do what it says (help write AP-style press releases) and uses an external CLI for research, but it instructs running a remote install script (curl | sh) from dist.inference.sh — that installs a binary from a third party and is the main risk. Before installing: (1) Inspect the install script and binary checksums yourself (don’t blindly run curl | sh). (2) Verify the checksum against an independent source and consider downloading via a trusted package manager or a known release host. (3) Run the install in a sandbox or isolated environment if possible. (4) Be mindful that any drafts or company-sensitive queries will be sent to the external inference.sh service — avoid sending secrets or confidential data. (5) Ask the skill maintainer for a clearer, auditable install method and a privacy/terms link describing what inference.sh logs or retains. If you can’t verify the installer or don’t want to send queries externally, treat this skill as risky and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3cxa2z8e3stn9r6ebr61n581c6db
License
MIT-0
Free to use, modify, and redistribute. No attribution required.