Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Storyboard Creation
v0.1.5Film and video storyboarding with shot vocabulary, continuity rules, and panel layout. Covers shot types, camera angles, movement, 180-degree rule, and annot...
⭐ 2· 1.1k·7 current·7 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md content (shot vocabulary, panel layout, commands to generate panels) aligns with a storyboard-creation skill. It explicitly relies on the inference.sh CLI and remote model runs (infsh app run) to produce images — that is coherent with the stated purpose. However, the registry metadata lists no install spec or required credentials, while the instructions include an install/login flow for a third-party service, which is an inconsistency.
Instruction Scope
The instructions tell users/agents to download and execute an external installer (curl | sh https://cli.inference.sh), run infsh login, and then run infsh app run which will send prompts and image files to a remote inference service and third‑party models. That means user prompts and any local files referenced (e.g., panel1.png) will be transmitted to the external service. The SKILL.md does not ask the agent to read broad system files, but it does implicitly require filesystem access for image files and network access to the service. The instructions give the agent explicit permission to run shell commands (allowed-tools: Bash(infsh *)), increasing the scope of what can be executed.
Install Mechanism
Although the registry shows no install spec, SKILL.md recommends installing via a piped shell script (curl -fsSL https://cli.inference.sh | sh). Piping a remote script directly to sh is a high-risk pattern because it executes code fetched from an external host without a manual review step. The file mentions checksum verification locations (dist.inference.sh/checksums.txt), which is better than nothing, but the one-liner encourages an automated fetch-and-run. This is a disproportionate install mechanism for an instruction-only storyboard helper and should be reviewed manually before running.
Credentials
The skill metadata declares no required environment variables or primary credential, but the runtime instructions explicitly call infsh login (an authentication step) and will rely on credentials stored by that CLI. That is a mismatch: the skill expects access to a third-party account/token but does not declare it. Also, running infsh app run will transmit prompts and possibly local images to remote models — sensitive content could be exposed. No other unrelated credentials are requested, but implicit credential creation is not surfaced in the metadata.
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-level persistence. That is appropriate. However, following the SKILL.md install/login flow will create a locally stored CLI and authentication credentials (infsh login), which are persistent on the machine and could be used by the agent later. The skill itself does not request elevated privileges or system-wide config changes.
What to consider before installing
This skill seems to do what it says (storyboard guidance + image generation) but it instructs you to install and log into a third‑party CLI (inference.sh) via a curl|sh one-liner — a high-risk action. Before installing: (1) inspect the installer script at https://cli.inference.sh manually (do not run the pipe) and verify checksums from the listed dist URL; (2) understand that prompts and any local images you pass (panel1.png etc.) will be uploaded to a remote service and may be retained by the provider; (3) prefer manual installation of the CLI or using a vetted/local image-generation option if you need privacy; (4) be aware the SKILL.md expects you to authenticate (infsh login) even though the registry lists no credentials — treat that as an implicit requirement. If you want me to, I can fetch and summarize the installer script and the dist checksums URL for you (I won't execute anything) so you can inspect what would be installed.Like a lobster shell, security has layers — review code before you run it.
latestvk975c0erz3vz6rs79f6kpx2w1581c5fn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.