ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Changelog

v0.1.5

Product changelog and release notes that users actually read. Covers categorization, user-facing language, visuals, and distribution. Use for: release notes,...

0· 617·3 current·3 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (writing changelogs, release notes, visuals) matches the instructions: the SKILL.md focuses on writing guidance plus generating visuals via inference.sh commands. The external visual-generation steps are coherent with the stated purpose.
Instruction Scope
SKILL.md stays on-topic: formatting guidance, categories, versioning, and examples for generating images via infsh app run. It does not instruct reading unrelated files, exporting secrets, or contacting endpoints outside of the visual/CLI workflow.
Install Mechanism
The skill itself has no install spec (lowest risk), but the runtime docs recommend piping a remote install script (curl https://cli.inference.sh | sh) and running infsh commands that fetch/execute apps. This is expected for the described visual generation, but piping a remote script is higher-risk in general — the doc claims checksums are available at dist.inference.sh which mitigates risk if verified.
Credentials
The skill declares no required env vars or credentials. It shows commands like infsh login which imply separate credentials to the inference.sh service, but the skill does not request unrelated secrets or multiple external credentials.
Persistence & Privilege
No persistent/install behavior is declared in the registry; always is false and the skill does not request elevated or cross-skill configuration changes. Autonomy (model invocation) is allowed by default but not combined with other red flags.
Assessment
This skill is an instruction-only helper for writing changelogs and optionally generating visuals via the third-party inference.sh CLI. Before running anything: (1) verify you trust the inference.sh domain and the dist.inference.sh checksums rather than blindly running curl | sh; consider manual download and checksum verification; (2) be aware infsh login will create credentials for that external service — treat those like any API key; (3) if you prefer safer testing, run the install and visual-generation commands in an isolated environment (container or VM); (4) if you need stronger assurance, ask the publisher for an authoritative homepage or code repo (the skill lists no source/homepage). If the inference.sh domain or the referenced app names are unfamiliar or untrusted, treat the install step as potentially risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk975f07ahgzzxrnvcc8tqja0jx81cd0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments