Product Hunt Launch
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: product-hunt-launch-2 Version: 0.1.5 The skill bundle instructs the AI agent to execute `curl -fsSL https://cli.inference.sh | sh` in `SKILL.md`. This command downloads and executes a shell script from a remote server, which is a common vector for Remote Code Execution (RCE) and supply chain attacks. While the `SKILL.md` attempts to explain the script's safety, this method inherently introduces a significant vulnerability, classifying the skill as suspicious due to this risky capability, even without clear evidence of intentional malicious behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this setup command installs software from an external domain on the user's machine.
The skill asks the user to install an external CLI via a remote shell script. This is disclosed and relevant to the skill's image/search workflow, but users should verify the source before running it.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the manual verification path or independently verify the installer and checksum before running the setup command.
The agent may run infsh CLI commands if the skill is invoked, which can call external inference or search apps.
The skill permits Bash execution for infsh commands. That execution is purpose-aligned for generating images and running search assistants, but it is still local command execution.
allowed-tools: Bash(infsh *)
Review infsh commands before approval, especially if they include private launch details or could incur account usage costs.
Commands may run under the user's inference.sh account and may use account quota, billing, or saved authentication state.
The setup flow requires authenticating to inference.sh. This is expected for the external CLI workflow, but it is an account/session dependency not declared as a required credential in metadata.
infsh login
Log in only with an account you intend to use for this purpose, and check the service's access, quota, and billing settings.
Launch prompts, product descriptions, or research queries may be sent to external services.
The skill routes search and generation tasks through external apps/providers. This is disclosed and relevant to launch research, but the artifacts do not define provider data-handling boundaries.
infsh app run tavily/search-assistant --input
Avoid including confidential launch plans, unreleased product details, credentials, or customer data in prompts or search queries unless you accept the provider's data handling terms.