ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Python Sdk

v0.1.5

Python SDK for inference.sh - run AI apps, build agents, and integrate with 150+ models. Package: inferencesh (pip install inferencesh). Supports sync/async,...

0· 1.3k·5 current·5 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Python SDK for inference.sh) matches the content: examples for sync/async clients, agents, tool-builder, file uploads, sessions, and streaming. The allowed tools (pip, python) and examples align with the declared purpose.
Instruction Scope
The runtime instructions are focused on SDK usage and remain within the SDK's purpose. However, the docs include examples that read local files, auto-upload file paths, use multipart uploads, and show how to enable code execution and eval-style handlers — all legitimate SDK features but they expand the agent's I/O surface and can send local data to an external service if used. The SKILL.md also shows webhook tools that call arbitrary external endpoints.
Install Mechanism
This is instruction-only with no install spec and no code shipped in the skill bundle, so nothing is written to disk by the skill itself. The documented install (pip install inferencesh) is standard for a Python SDK but is external to the skill bundle.
Credentials
The skill metadata declares no required environment variables, but the SKILL.md repeatedly shows using an API key (api_key parameter or INFERENCE_API_KEY env var). That mismatch is a documentation/metadata inconsistency: in practice the SDK needs an inference.sh API key to function. Examples also reference webhook secrets and third-party tokens (e.g., GITHUB_TOKEN, Slack webhooks) as part of examples—expected for integrations but not declared by the skill metadata.
Persistence & Privilege
The skill does not request always:true, no install, no config path access, and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is not combined with other elevated privileges here.
Assessment
This skill appears to be a documentation-only SDK integration for inference.sh and is coherent with that purpose — but take the following precautions before using it: 1) The SDK requires an inference.sh API key (examples use INFERENCE_API_KEY) even though the skill metadata lists no required env vars; treat that key like any secret and limit its scope. 2) Examples show automatic upload of local file paths and large-file multipart uploads — avoid pointing the SDK at sensitive files unless you intend to send them to the external service. 3) Webhook tools and public=true file options can make data reachable to third parties; verify webhook URLs and permissions. 4) Several examples enable code execution and show use of eval — running untrusted expressions or auto-executing code from agents is dangerous; require human approval and sanitize inputs. 5) The skill bundle is instruction-only and has no provenance (homepage unknown, owner id only). Before installing or running pip install inferencesh, verify the package source (official website or PyPI project page) and review the actual pip package contents and version to ensure you’re installing the legitimate SDK. If you need higher assurance, ask the publisher for a homepage or source repository link and inspect the released package code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eeyres45t9b9hedwjz3yx3n81de7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments