deAPI - AI Media Generation Toolkit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent deAPI media toolkit, but it sends user-provided text/media to deAPI and uses a deAPI API key, so users should consider privacy and account-credit impact.
Install if you are comfortable sending selected prompts, media files, URLs, and text to deAPI for processing. Set a dedicated DEAPI_API_KEY, review files before upload, avoid sensitive content unless deAPI is an acceptable processor for it, and implement webhook signature checks if using server integrations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume credits or reveal account balance for the deAPI account tied to the API key.
The skill needs a deAPI account credential to submit jobs and check balance; this is purpose-aligned and disclosed, but the registry metadata does not list a required env var or primary credential.
Requires `DEAPI_API_KEY` environment variable: export DEAPI_API_KEY=your_key
Use a service-specific deAPI key, monitor account usage, and avoid placing broader credentials in the DEAPI_API_KEY variable.
A mistaken file path or URL could send unintended media to a third-party processing service.
The command template uploads a user-selected local image file to deAPI via curl, which is expected for image upscaling but should be user-confirmed.
curl -s -X POST https://api.deapi.ai/api/v1/client/img-upscale ... -F image=@{local_file_path}Confirm the exact file path, URL, and prompt before running media commands, especially for private or copyrighted content.
Private text embedded and saved for later use may be reused in future search or retrieval workflows.
The embedding command can turn user text into vectors for later search or RAG use; this is core functionality and appears user-directed, but embeddings may preserve sensitive meaning.
Offer to save or use the embedding ... Use cases: Semantic search, RAG
Only embed and save text that is appropriate for reuse, and store generated embeddings in a location with suitable access controls.
If webhook verification is skipped, an exposed endpoint could accept spoofed job-completion events or untrusted result URLs.
The setup command documents optional webhook and websocket result delivery; it includes signature-verification guidance, but secure handling depends on the user's implementation.
Add `webhook_url` to any request ... Security: Verify signature in `X-DeAPI-Signature` header (HMAC-SHA256).
Verify webhook signatures, restrict webhook endpoints where practical, validate event fields, and treat result URLs as untrusted until checked.