Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Product Hunt Launch
v0.1.5Product Hunt launch optimization with specific specs, timing, and gallery strategy. Covers taglines, gallery images, maker comments, and launch day tactics....
⭐ 0· 691·1 current·1 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Product Hunt launch optimization) aligns with the instructions: image generation, competitor research, taglines, timing, and maker comment templates. Using an image/AI CLI to create assets and a search assistant for research is coherent with the stated purpose.
Instruction Scope
The SKILL.md instructs the user/agent to run a remote installer (curl https://cli.inference.sh | sh), to run `infsh login`, and to operate on local files (e.g., before-state.png). Those runtime actions include executing remote code and accessing local images — reasonable for image generation but higher-risk because credentials and local file access are implied but not scoped or declared. The installer-and-login steps broaden the runtime authority beyond just 'give advice'.
Install Mechanism
There is no declared install spec, but the instructions explicitly pipe a remote install script to sh. Even though the README claims checksums are available at dist.inference.sh, piping an arbitrary remote script to a shell is high-risk. The skill should have declared installation requirements and recommended safer install steps (download, verify checksum, inspect, then run).
Credentials
The skill declares no required env vars or credentials, yet the instructions call `infsh login` and reference running third-party apps (falai/flux-dev-lora, tavily/search-assistant) that will likely require accounts/API keys. The absence of declared credentials is an inconsistency: the agent/user will need to provide external service auth, but the skill doesn't enumerate or justify them.
Persistence & Privilege
The skill is instruction-only, has no always:true flag, and does not request system-wide config modifications. It doesn't ask to persist tokens or modify other skills. However, installing the infsh binary (per the instructions) does add software to the system — that's standard but should be done consciously and safely.
What to consider before installing
This skill appears to do what it says (help with Product Hunt launches) but it asks you to install and log into an external CLI (inference.sh) by piping a remote script to sh and to use that service to generate/upload images and run research. Before installing/using it: (1) do not blindly run `curl | sh` — instead download the installer, verify the SHA‑256 checksum from the same verified source, and inspect the script. (2) Expect to create accounts or API keys for inference.sh/falai/tavily; treat those credentials carefully and do not reuse high-privilege keys. (3) Understand that running the CLI may upload local images or product copy to third-party servers — review the service's privacy/terms. (4) Prefer installing in a sandbox/VM if you want to test. (5) Ask the skill author to explicitly list required environment variables and clarify what the installer does; lack of those declarations is why this is rated 'suspicious.' If those issues are addressed (explicit credential listing, safer install instructions, clear privacy/usage notes), reassess to a lower risk level.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6zk2sg61ysj78f2gd9zzx181ccfr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.