ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Related Skill

v0.1.5

Discover and install related skills from inference.sh skill registry. Helps find complementary skills for your AI workflow. Use for: skill discovery, workflo...

0· 1.1k·3 current·3 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the instructions: SKILL.md guides the user to search for and add inference.sh skills. The capabilities requested (discover/install skills) align with the commands shown.
Instruction Scope
Instructions are limited to running npx skills commands and visiting inference.sh URLs; they do not ask the agent to read local files, access unrelated env vars, or transmit arbitrary data. Minor inconsistency: the skill's declared requirements list no required binaries, but the runtime instructions assume npx/Node/npm is available.
Install Mechanism
There is no install spec for this skill (instruction-only). However, the instructions direct the user/agent to run npx to fetch and install packages from the npm ecosystem—this is expected for this purpose but carries the usual risk that npx executes remote package code at install time.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That matches its stated purpose of listing/installing inference.sh skills.
Persistence & Privilege
always is false and model invocation is allowed (platform defaults). The skill does not request persistent system-wide privileges or modification of other skills' configs; any persistence would come from running npx to install additional skills, which is expected behavior.
Assessment
This skill is essentially a how-to for using the inference.sh CLI. It does not itself ask for secrets or system access, but it assumes you (or the agent) will run npx commands that fetch and run remote packages. Before installing any listed skill, ensure you trust the inference.sh package and its publisher. Make sure Node/npm is intentionally available in your environment, and consider running installs in a controlled environment or sandbox if you want to limit the risk of executing untrusted package code. If you need the skill to declare required binaries, ask the publisher to list 'node'/'npm'/'npx' explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk974w28hbbkqf7bkq6kw4fbt0x81cqpg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments