ClawHub
Back to skill
v0.1.5

Talking Head Production

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:30 AM.

Analysis

This is a coherent instruction-only skill for AI talking-head video creation, but it relies on an external CLI, account login, and sending portrait/audio/video assets to external AI services.

GuidanceBefore installing, verify the inference.sh CLI installer and only upload portraits, voices, scripts, or videos that you are allowed to process with external AI services.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -fsSL https://cli.inference.sh | sh && infsh login

The skill directs users to install an external CLI through a remote shell script rather than a registry install spec. This is disclosed and central to the workflow, but the installer provenance is outside the provided artifact set.

User impactRunning the setup command installs software from an external source before using the skill.
RecommendationVerify the CLI source, checksum, and installer instructions from inference.sh before running the setup command.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh login

The workflow requires logging into the inference.sh CLI, which gives the tool access to a user account for running AI jobs. This is expected for the service integration and no credential leakage is shown.

User impactThe skill may run jobs under the user's inference.sh account and may incur account usage or charges depending on the service.
RecommendationUse the intended account, understand any billing or quota impact, and avoid sharing credentials in prompts or files.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
infsh app run bytedance/omnihuman-1-5 --input '{
  "image": "portrait.png",
  "audio": "narration.mp3"
}'

The documented workflow sends local portrait and audio/video inputs to external inference.sh apps. This is purpose-aligned, but it involves potentially sensitive face, voice, or likeness data.

User impactPersonal images, voice recordings, scripts, or generated videos may be processed by external AI providers.
RecommendationOnly use media you have rights and consent to process, and review the provider's privacy, retention, and usage terms.