krea
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently uses Krea.ai to generate media, but users should know it needs a Krea token, can spend compute credits, and may upload selected media.
This looks like a purpose-aligned Krea.ai integration rather than malicious behavior. Before installing, make sure you trust the source, use a revocable Krea API token, confirm paid or multi-step jobs before running them, and avoid sending private images unless you are comfortable with Krea processing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the provided Krea account token to submit jobs, which may consume the user's Krea credits or quota.
The scripts require or accept a Krea API token, while the registry metadata lists no primary credential or required environment variable. This appears purpose-aligned, not deceptive, but users should understand account access is involved.
key = args_key or os.environ.get("KREA_API_TOKEN") ... "Error: No API key provided. Set KREA_API_TOKEN or pass --api-key"Provide only a Krea API token you intend to use for this skill, prefer a scoped or revocable token if Krea supports it, and declare `KREA_API_TOKEN` in the skill metadata.
Generating images/videos, upscaling, training styles, or running pipelines can spend Krea compute credits, especially if repeated or parallel jobs are run.
The skill openly uses Krea compute units and even provides cost-aware workflow guidance. This is expected for a paid generation API, but it is still a user-impacting action.
Run `list_models.py` to get the live list of models, CU costs ... Goal: fast iteration without burning CU on expensive models until the prompt is right.
Review the model and estimated CU cost before expensive jobs or pipelines, and ask the agent to confirm before running multi-step or high-cost operations.
Private or sensitive images used for enhancement, generation inputs, or LoRA training may leave the local machine and be processed by Krea.ai.
The training workflow can process many user-supplied image URLs or local files through Krea. This is central to LoRA training, but it means selected media is sent to the provider.
parser.add_argument("--urls-file", help="Text file with one URL per line") ... resolved_urls.append(ensure_image_url(url, api_key))Only pass images and URLs you are comfortable sending to Krea, and review Krea's privacy/retention terms before using personal or confidential media.
Running the scripts may install or resolve dependencies from the Python package ecosystem, which adds ordinary supply-chain exposure.
The scripts use inline runtime dependency metadata with an unpinned `requests` dependency. This is a normal lightweight Python script pattern, but it relies on package resolution at runtime.
# dependencies = ["requests"]
Use a trusted Python/uv environment, consider pinning dependency versions, and verify the skill source before running it with a valuable API token.