Press Release Writing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: press-release-writing Version: 0.1.5 The skill is classified as suspicious due to the instruction in `SKILL.md` for the agent to execute `curl -fsSL https://cli.inference.sh | sh`. This command downloads and runs an arbitrary shell script from a remote server, posing a significant supply chain risk and potential for Remote Code Execution (RCE) if the remote script or server is compromised. While the skill's stated purpose of press release writing and fact-checking is benign, and the accompanying note attempts to justify the installation method, the instruction to execute untrusted remote code is a high-risk behavior and a vulnerability. Additionally, the skill instructs the agent to add other skills from `inference-sh/skills`, further expanding the reliance on external, potentially untrusted components.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running a remote installer can change the local environment and depends on the security of the external download source.
The skill recommends installing an external CLI by piping a remote script into the shell. This is disclosed and user-directed, but users should verify the installer source before running it.
curl -fsSL https://cli.inference.sh | sh && infsh login
Review the installer documentation and checksum verification path before running it, or use the manual install method if available.
The skill may rely on an external authenticated service to perform research, so users should understand which account is being used.
The skill asks the user to authenticate to the inference.sh CLI. This appears purpose-aligned for using its research apps, but it introduces account/session access not declared in the registry credential fields.
infsh login
Use an account with appropriate scope and review inference.sh’s authentication and data-handling behavior before logging in.
Company announcements, product details, or funding information entered into research queries could be shared with external services.
The skill routes research prompts through external apps such as Tavily and Exa via the infsh CLI. This is aligned with fact-checking, but user-provided press release facts may be sent to third-party services if used in queries.
infsh app run tavily/search-assistant --input
Avoid sending confidential or embargoed announcement details to external research tools unless sharing them is permitted.