Modelslab : Generate Video, Images, LLMs using CLI and APIs
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is openly about ModelsLab, but it gives an agent broad billing, payment, account, API-key, team-management, and deepfake capabilities without enough scoping or approval safeguards.
Install only if you trust the publisher and actually need the account, billing, and deepfake capabilities. Prefer installing only the specific generation skill you need, use limited credentials, require manual approval for any billing/account/API-key/team action, set spending limits, and avoid headless card handling unless you have a controlled compliance process.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With a bearer token, an agent could affect billing state, wallet funds, payment methods, invoices, or subscriptions.
The skill expects delegated account tokens for financial operations, not just read-only generation.
Manage billing, wallet funding, payment methods, subscriptions, and coupons ... All billing endpoints require a bearer token.
Use least-privilege tokens where possible and require explicit human approval for every payment, subscription, saved-card, billing-info, or invoice action.
A misdirected or over-permissive agent could initiate charges or subscription changes during a headless workflow.
The documented recommended flow allows autonomous agents to handle card data and initiate wallet funding or subscriptions, but the artifacts do not define mandatory confirmation or spending limits.
| **Headless** | Autonomous agents with card data | `GET /billing/stripe-config` -> tokenize via Stripe API -> pass `payment_method_id` to fund/subscribe |
Disable headless billing by default; require user confirmation, amount caps, and a clear transaction summary before any charge or subscription action.
An agent with this authority could create or rotate API keys, change profile/team settings, or manage account access in ways that persist beyond the current task.
Account signup, login, token refresh, API-key CRUD, and team management give the agent broad delegated authority over the user's ModelsLab account.
Signup, login, email verification, token refresh, profile updates, API key CRUD, and team management via the Agent Control Plane API. Supports full headless agent flow.
Use separate limited-purpose agent credentials, review all API-key and team-management actions, and avoid granting this skill access unless those operations are needed.
The agent could create convincing unwatermarked impersonation media, creating reputational, legal, or social-engineering risk.
The skill includes face-swap/deepfake generation and examples that disable watermarking, without visible consent or disclosure safeguards in the provided artifacts.
Swap faces in images and videos using advanced AI-powered deepfake technology ... "watermark": False # Set to True for watermark
Use this capability only with consent and clear disclosure; require watermarking or provenance labels and block requests involving non-consenting people.
If the webhook endpoint is not protected, spoofed callbacks or leaked result URLs could affect downstream processing.
Webhook workflows require a public callback endpoint that accepts posted result data; this is purpose-aligned but should be authenticated and validated.
Make Your Endpoint Publicly Accessible ... ngrok http 8080 ... data = request.json
Use HTTPS, verify webhook authenticity with a shared secret or signature, validate payloads, and avoid putting sensitive user data in track IDs or result handlers.
Users may grant sensitive ModelsLab billing or account authority to a skill whose registry provenance is not fully established.
There is no runnable package to inspect, and the registry metadata does not independently verify the claimed official source.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the publisher and repository through ModelsLab's official website before installing or providing account, billing, or API-key access.