ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

krea

v1.0.0

Generate images, videos, upscale images, and train LoRA styles with the Krea.ai API using customizable models and parameters.

0· 41·0 current·0 all-time
byAlbert Salgueda@albertsalgueda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts clearly implement image/video generation, enhancement, model listing, and pipelines against api.krea.ai which matches the skill name/description. However the registry metadata lists no required environment variables while the code expects a KREA_API_TOKEN (or --api-key). The missing declaration in metadata is an inconsistency.
Instruction Scope
Runtime instructions and scripts stay within the stated purpose (they call the Krea API, upload local files, poll job status, and download results). They do read local files (to upload assets) and write outputs and a .pipeline-state.json manifest to the working directory. This is expected for the skill but means local files you point at will be uploaded to a third-party service — a privacy/exfiltration risk if you accidentally supply sensitive paths.
Install Mechanism
No install spec; the skill is instruction/code-only and runs Python scripts. That is low risk from an installation-attack surface perspective (nothing is downloaded/executed automatically during install).
!
Credentials
The code requires a KREA_API_TOKEN (checked via get_api_key) but the skill registry metadata did not declare this required environment variable. Aside from that, no unrelated credentials or broad OS-level secrets are requested. The absence of KREA_API_TOKEN in metadata is a mismatch that could confuse users about what will be sent to the network.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not alter other skills or global agent config. It writes output files and a local .pipeline-state.json manifest in the working directory, which is expected for workflows but not a global privilege escalation.
What to consider before installing
This skill appears to do what it claims (it talks to https://api.krea.ai to list models, submit jobs, upload local images, and download results), but consider the following before installing or running: (1) The code expects a KREA_API_TOKEN (or you must pass --api-key) but the registry metadata did not declare that — confirm where to store your API token and that you trust the token's scope. (2) Any local file path you pass (image/video) will be uploaded to the remote API; avoid pointing it at sensitive files. (3) The scripts will create output files and a .pipeline-state.json in your current working directory. (4) Verify you trust api.krea.ai and the skill author (no homepage/source provided). If you want higher assurance, ask the publisher to update the registry metadata to list KREA_API_TOKEN and provide a homepage or source repository, or manually review/execute the scripts in a sandboxed environment before granting your real API token.

Like a lobster shell, security has layers — review code before you run it.

latestvk978x4ehymy36gwzf4ce06fx5h83wqzs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments