Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Generation
v0.1.5Generate AI videos with Google Veo, Seedance, Wan, Grok and 40+ models via inference.sh CLI. Models: Veo 3.1, Veo 3, Seedance 1.5 Pro, Wan 2.5, Grok Imagine...
⭐ 2· 1.8k·15 current·16 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md are consistent: the skill is an instruction-only wrapper telling the agent to use the inference.sh CLI to run many text/image->video models. All required actions (install CLI, run infsh app run ...) fit the described capability.
Instruction Scope
The runtime instructions are narrowly scoped to installing the inference.sh CLI and running its apps. They do include examples that upload media via URLs and call many third-party model apps. The instructions do not ask the agent to read unrelated system files, but they do instruct interactive 'infsh login' and to install a remote binary, which implies creation/storage of credentials and uploading user media to remote services — expected for this use case but a privacy/data-exfiltration consideration.
Install Mechanism
There is no formal install spec in metadata, but SKILL.md instructs running a remote install script via 'curl -fsSL https://cli.inference.sh | sh' which downloads binaries from dist.inference.sh. While the doc claims SHA-256 checksums are available, piping a remote script to sh and pulling binaries from a project-hosted domain is higher risk than using a vetted package repository. This is coherent with the skill's purpose but increases attack surface and trust requirements.
Credentials
The skill metadata declares no required env vars or primary credential, yet the instructions call 'infsh login' (implying an account and credentials will be created/stored). That mismatch isn't necessarily malicious, but users should expect the CLI to request authentication and persist tokens locally; those credentials are not declared in the skill manifest.
Persistence & Privilege
The skill does not request always: true, has no install spec that modifies other skills or system-wide settings, and is user-invocable. It does not demand persistent elevated privileges in the manifest.
What to consider before installing
This skill is coherent for generating videos but requires installing and trusting a third-party CLI downloaded at runtime. Before installing or running it: 1) Verify the project domain (cli.inference.sh / dist.inference.sh) and inspect the install script and published checksums yourself rather than piping blindly to sh. 2) Understand that 'infsh login' will create/stored credentials and that the CLI will send media (images/audio/video) to remote models — do not upload sensitive or private content. 3) Prefer running the installer in a sandbox or VM if you want to limit risk. 4) Check the service's privacy/terms and confirm model provenance/licensing for commercial use. 5) If you want tighter control, ask for a manifest that declares the auth token behavior and a verified install mechanism (e.g., package repository or reproducible release URL and checksum).Like a lobster shell, security has layers — review code before you run it.
latestvk976n39qwhfvak84kps02pv3ks81cwcb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.