ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

deAPI - AI Media Generation Toolkit

v1.0.0

AI media generation via deAPI. Transcribe YouTube/audio/video, generate images from text, text-to-speech, OCR, remove backgrounds, upscale images, create vid...

0· 200·0 current·0 all-time
byAlex Glowacki@aleglowa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the instructions: this is a deAPI client for image/audio/video/OCR/embeddings and related tasks. The functionality described (calling deapi.ai endpoints) is consistent with the skill's purpose. However, the registry metadata lists no required environment variables while SKILL.md explicitly requires DEAPI_API_KEY — a clear mismatch.
Instruction Scope
SKILL.md provides step-by-step cURL flows for job submission, polling, result fetching, and sample webhook/websocket boilerplate. It instructs the agent to download user-provided URLs to /tmp and then upload them to deapi.ai (expected for media processing). This is within scope but does involve downloading arbitrary remote content and sending it to a third-party service — a privacy/exfiltration concern if users provide sensitive URLs or files. The instructions do not tell the agent to read unrelated system files or other creds.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal filesystem footprint and no arbitrary third-party packages to fetch at install time.
!
Credentials
SKILL.md requires DEAPI_API_KEY (and shows how to export it), but the registry metadata reported no required env vars or primary credential. That mismatch is concerning: the skill needs a network API key (appropriate for its purpose) but the package metadata fails to declare it. No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request any system-level persistence or modify other skills. disable-model-invocation is false (normal), so the skill can be invoked autonomously; combined with the undeclared API key requirement this increases risk if the key is provided but the user is unaware of autonomous calls.
What to consider before installing
Key things to consider before installing: - The skill requires a DEAPI_API_KEY at runtime (SKILL.md shows export DEAPI_API_KEY) but the registry metadata does not declare this; expect to provide an API key if you use it. - Using the skill means media (files/URLs you supply) will be downloaded and uploaded to deapi.ai — do not supply private or sensitive URLs/files unless you trust deapi.ai and understand its privacy/retention policy. - The skill provides webhook/websocket samples; if you configure webhooks, ensure you properly implement signature verification and keep any webhook secrets private. - Because the skill can be invoked autonomously by the agent, an exposed DEAPI_API_KEY (or one you set globally) could be used without explicit prompts. Prefer scoping credentials and use per-project keys if possible. - Ask the publisher to correct the package metadata to declare DEAPI_API_KEY (and any other required env vars) so registry tooling and reviewers can accurately assess the need for secrets. - If you have low trust in deapi.ai or need strong privacy guarantees, do not use this skill for sensitive media; consider running local or self-hosted tools instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aty8h91m6jev53r1xqt1qr582rc2q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments