Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email Design
v0.1.5Email marketing design with layout patterns, subject line formulas, and deliverability rules. Covers welcome sequences, promotional emails, transactional tem...
⭐ 0· 1k·6 current·7 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an instruction-only email design guide and uses an image-generation CLI (inference.sh) for header/banner creation — that is coherent with email design and visual generation needs.
Instruction Scope
The SKILL.md stays within email design advice and shows concrete commands to generate header images. However, it explicitly instructs running a remote installer (curl -fsSL https://cli.inference.sh | sh) and then running 'infsh login' which involves an external service and credentials; the metadata does not declare any required credentials or environment variables to reflect that dependency.
Install Mechanism
There is no install spec in the registry, but the instructions tell the user/agent to run a remote install script from cli.inference.sh/dist.inference.sh (curl | sh). This is a higher-risk install pattern because it downloads and executes code from a third-party domain rather than a well-known release host; the SKILL.md claims SHA-256 checksums are available, but the installer+download-from-URL pattern and nonstandard host are disproportionate to the simple task of image generation unless you trust the provider.
Credentials
The skill metadata lists no required environment variables or primary credential, yet the runtime instructions call 'infsh login', implying an external account/API key may be required. The absence of declared credentials is an inconsistency — users/agents should expect to supply credentials to the external service, and that requirement should be explicit.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config writes. It is instruction-only and does not request elevated or persistent platform privileges in metadata.
What to consider before installing
This skill appears to be a legitimate email-design guide, but exercise caution before installing or executing anything it suggests. Specific recommendations: 1) Do not run curl | sh on cli.inference.sh without validating the installer — prefer manually downloading the binary or inspecting the script first. 2) Verify the CLI provider (inference.sh) reputation and fetch checksums from a trusted source; compare SHA-256 before running any binary. 3) Expect to supply credentials when using 'infsh login' — the skill metadata does not declare that, so be careful where you store/provide API keys. 4) If possible, run the installer and CLI in an isolated environment (VM/container) to limit blast radius. 5) If you need only static guidance (templates, subject-line formulas), you can use the skill without installing the external CLI. If you plan to use the image-generation feature, confirm the provider's privacy/security policies and consider an alternative from a well-known source (e.g., GitHub releases) or an image tool you already trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97cqntg7k4nqym2qrgzz3k1px81d82r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.