Youtube Thumbnail Design
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: youtube-thumbnail-design Version: 0.1.5 The skill utilizes a `curl -fsSL ... | sh` pattern in `SKILL.md` for installing the `inference.sh` CLI, which introduces a supply chain vulnerability by executing a remote script directly. Furthermore, it grants broad `allowed-tools: Bash(infsh *)` permissions, creating a potential prompt injection surface if the AI agent is manipulated to execute unintended `infsh` commands. While these present significant security risks, there is no direct evidence of intentional malicious behavior such as data exfiltration, persistence, or backdoors within the skill's provided code or instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI means trusting an external download source before using the skill’s image-generation workflow.
The skill directs users to install a third-party CLI through a remote shell script. This is disclosed and purpose-aligned, but users should verify the installer and source before running it.
curl -fsSL https://cli.inference.sh | sh && infsh login
Review the installer source, use the documented manual checksum verification if possible, and install only if you trust inference.sh.
The agent may be able to run inference.sh commands for external model generation, which could consume service credits or create outputs through that account.
The skill allows Bash execution for inference.sh CLI commands. This is aligned with generating thumbnails, but it is broader than a single fixed generation command.
allowed-tools: Bash(infsh *)
Use the skill for user-requested thumbnail generation only, and review generated prompts or commands before running them if account cost or usage matters.
Using the skill may rely on your inference.sh account and any billing, quota, or access permissions attached to it.
The workflow requires logging into inference.sh. This is expected for a hosted generation service, but it introduces account/session authority not declared as a registry credential.
infsh login
Log in with an account appropriate for this use, and avoid giving the CLI broader access than needed.
Thumbnail prompts or creative details you provide may be processed by external AI services.
The examples submit prompts to hosted model providers through inference.sh, including falai and bytedance models. This is disclosed and central to the skill, but it means prompt content is sent externally.
infsh app run falai/flux-dev-lora --input ...
Do not include private, confidential, or unreleased information in prompts unless you are comfortable sending it to the provider.