Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Thumbnail Design
v0.1.5YouTube thumbnail design with specific dimensions, contrast rules, and mobile preview optimization. Covers safe zones, text placement, face expression psycho...
⭐ 0· 932·3 current·3 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the instructions: the SKILL.md solely describes generating thumbnails via the inference.sh (infsh) CLI and provides composition/visual guidance; no unrelated credentials, binaries, or system access are requested.
Instruction Scope
Instructions focus on thumbnail generation (prompts, sizes, composition rules, sample infsh commands). They do not ask the agent to read arbitrary host files, environment variables, or send data to unexpected endpoints in the visible content. (Note: SKILL.md was truncated — additional instructions past the truncation could change this assessment.)
Install Mechanism
The Quick Start recommends piping a remote install script (curl -fsSL https://cli.inference.sh | sh). That pattern executes remote code without local checksum verification and is high-risk. The file claims a checksum is available on dist.inference.sh, but the provided command bypasses any verification step. The install source is not a well-known package manager; this is proportionally excessive for a thumbnail design instruction-only skill.
Credentials
The skill declares no required env vars, credentials, or config paths. However, it invokes infsh login which implies the CLI may request or create credentials/tokens at runtime; that is expected for a model-inference service but users should be aware the CLI may obtain/store auth tokens.
Persistence & Privilege
always is false (good). disable-model-invocation is false (default), so the agent could invoke this skill autonomously when eligible — that is normal but increases blast radius if combined with the risky install pattern or if the CLI stores tokens. The skill does not request system-wide config changes in the visible content.
What to consider before installing
This skill appears to do what it says (generate thumbnail images and give design guidance) but take these precautions before installing or running it:
- Avoid running the recommended curl | sh pipeline. That pattern executes remote code immediately and bypasses verification. Instead, manually download the CLI binary or follow the manual install steps and verify the SHA-256 checksums on the project's dist.inference.sh site before running any installer.
- Expect the infsh CLI to require login/auth tokens. If you must authenticate, prefer short-lived credentials, inspect where tokens are stored, or run the CLI in an isolated environment (container or VM) so stored tokens cannot be reused by other tools.
- Review the remote domain (inference.sh / dist.inference.sh) and, if possible, inspect the CLI source or package artifacts before running. If you cannot verify provenance, run the workflow in a sandbox.
- Because part of the SKILL.md was truncated, consider asking the publisher for the full instructions and confirm there are no additional steps that read local files or post content to unexpected endpoints.
Given the insecure default install guidance and potential for the CLI to obtain credentials, proceed with caution — the skill is coherent but the install/runtime recommendations are risky unless you verify them manually.Like a lobster shell, security has layers — review code before you run it.
latestvk9797bnvqjjcanaj74xkkz03kx81creb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.