ClawHub
Back to skill
v0.1.5

Video Ad Specs

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:30 AM.

Analysis

The skill is a coherent, instruction-only guide for video ad specs and generation, with disclosed use of an external inference.sh CLI and login.

GuidanceThis appears safe to install as an instruction-only video ad helper, but treat the inference.sh setup and login as real external-service use: verify the installer source, understand any provider billing/quotas, and review commands before sending private media or prompts.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -fsSL https://cli.inference.sh | sh && infsh login

The skill suggests installing an external CLI via a remote shell script. It is presented as a setup command for the stated video-generation purpose, but users should still verify the source before running it.

User impactRunning the setup command would download and execute installer code from inference.sh on the user's machine.
RecommendationOnly run the installer if you trust inference.sh; prefer the linked manual verification/checksum path when possible.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
allowed-tools: Bash(infsh *)

The skill permits the agent to run infsh CLI commands, matching the documented video/audio generation examples. The allowed command scope is limited to infsh rather than broad shell use.

User impactWhen invoked, the agent may call external inference.sh apps to generate or process ad media, potentially consuming service credits or sending prompts/assets to that provider.
RecommendationReview generated commands before approving costly or asset-uploading operations, especially if using private media files.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
infsh login

The workflow requires logging in to the inference.sh CLI. This is expected for a provider-backed video generation skill, but it gives the CLI access to a user account/session.

User impactThe skill's workflows may use the user's inference.sh account and any associated quotas, billing, or generated assets.
RecommendationUse an account with appropriate limits and review provider permissions, billing, and generated-output handling before use.