ClawHub
Back to skill
v0.1.0

Fal.ai API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

This is a coherent fal.ai API client that needs a fal.ai key and sends user-provided prompts or media URLs to fal.ai, which matches its stated purpose.

GuidanceBefore installing, be comfortable giving this skill a fal.ai API key and sending your prompts or media URLs to fal.ai. Use a dedicated key if possible, monitor credit usage, and avoid submitting sensitive content unless fal.ai's policies fit your needs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
fal_api.py
endpoint = self.MODELS.get(model, model)
url = f"{self.QUEUE_URL}/{endpoint}"
return self._request("POST", url, payload)

The client can submit payloads to listed or caller-supplied fal.ai endpoints, matching the documented broad fal.ai model support.

User impactA user or agent can invoke many fal.ai models, potentially generating content or spending credits beyond the small example list.
RecommendationReview the selected model and prompt before use; if needed, restrict usage to approved model names or workflows.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
fal_api.py
api_key = os.environ.get("FAL_KEY") or self._get_config("key") ... "Authorization": f"Key {self.api_key}"

The skill reads a fal.ai API key and uses it as the Authorization header for fal.ai requests.

User impactUsing the skill with your FAL_KEY lets it submit jobs under your fal.ai account, which may use account quota or paid credits.
RecommendationUse a dedicated or revocable fal.ai key with appropriate limits, and monitor fal.ai usage if cost or quota matters.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
fal_api.py
payload = {"audio_url": audio_url, **kwargs}
return self.submit(model, payload)

Transcription sends the supplied audio URL to fal.ai, and the generation functions similarly send prompts and payloads to fal.ai's queue API.

User impactPrompts and media URLs you provide are shared with fal.ai for processing; sensitive content may be handled by that provider.
RecommendationOnly submit private prompts, image URLs, or audio URLs if fal.ai's data-handling terms and your account settings are acceptable.