ClawHub
Back to skill

Security audit

deAPI - AI Media Generation Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent deAPI media-processing skill, but users should understand that their selected prompts, text, files, and media URLs are sent to deAPI for cloud processing.

Install only if you are comfortable sending selected prompts, text, image/audio/video URLs, and uploaded media to deAPI. Use a dedicated API key stored as an environment variable, avoid secrets or regulated data unless deAPI is approved for that use, verify URLs before processing, and clean up temporary downloaded images when handling sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (27)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises media processing features but does not clearly disclose that user-provided audio, video, images, and text will be sent to an external third-party service. This can cause users to unknowingly transmit sensitive or regulated data off-platform, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The setup section instructs users to configure an API key but does not warn them to protect the credential or avoid exposing it in prompts, logs, screenshots, repositories, or client-side code. This increases the chance of accidental credential leakage, which could allow unauthorized use of the deAPI account and depletion of credits or access to associated data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user-provided text to a third-party API for embedding generation but does not clearly warn the user that their input will leave the local environment. This creates a privacy and data-handling risk, especially if users paste sensitive, proprietary, or regulated content assuming the operation is local.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly sends user-supplied text to a third-party TTS service but does not warn users that their content will leave the local environment. This is a real privacy/security issue because users may provide sensitive text assuming local processing, and the skill also transmits it along with an API-backed authenticated request to an external vendor.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs sending user-supplied prompts directly to a third-party API using an API key, but it does not warn the user that their content will leave the local environment. This creates a real privacy and consent issue because prompts may contain sensitive or proprietary information, and the external transmission is central to the skill's behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-provided prompts and image URLs to a third-party API without any explicit user-facing disclosure or consent step. In an agent context, users may reasonably assume inputs stay local, so silent transmission can expose sensitive text, private links, or proprietary media references to an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to download a user-supplied remote image and then upload it to a third-party OCR service without an explicit warning or consent step about external network transfer and third-party processing. This creates a real privacy and data-handling risk, especially if users provide sensitive screenshots, IDs, receipts, or documents and do not realize the content leaves the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
If a user supplies an image URL, the skill instructs the agent to download that image and then upload it to deAPI without any explicit user-facing disclosure that the content will be transferred to a third-party service. This creates a privacy and data-handling risk, especially if the image contains personal, sensitive, or proprietary information the user may not expect to leave their environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs sending user-supplied media URLs and an authorization token to a third-party API, but provides no privacy notice, consent step, or data-handling warning. Because transcription content may contain sensitive audio/video and the service receives both the target media reference and account-scoped credentials, this creates a real data-sharing and privacy risk even if the service is legitimate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to download user-supplied image URLs locally and then upload the resulting image content to deAPI, but it never tells the user that their supplied media will be transmitted to a third-party service. This creates a real privacy and data-handling risk, especially if users provide sensitive or private images and do not realize they are being sent off-platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
If the user supplies a URL, the skill downloads that remote resource to a temporary local file and then uploads it to a third-party API, but it provides no user-facing notice about either transmission step or temporary local storage. This can expose sensitive images, create privacy/compliance issues, and enables server-side fetching of attacker-controlled URLs without documented validation or restrictions.

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2embedding" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2embedding" \ -H "Authorization: Bearer $DEAPI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2embedding" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2audio" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2audio" \ -H "Authorization: Bearer $DEAPI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2audio" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2img" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2img" \ -H "Authorization: Bearer $DEAPI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Send request

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2img" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**For Text-to-Video:**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2video" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
92% confidence
Finding
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2video" \ -H "Authorization: Bearer $DEAPI_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "prompt": "{prompt}", "duration":

External Transmission

Medium
Category
Data Exfiltration
Content
**For Text-to-Video:**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/txt2video" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
92% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**For Image-to-Video (animation):**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/img2video" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
93% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**Note:** This endpoint requires `multipart/form-data` with file upload.

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/img2txt" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -F "image=@{local_file_path}" \
  -F "model=Nanonets_Ocr_S_F16"
Confidence
89% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**Note:** This endpoint requires `multipart/form-data` with file upload.

```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/img-rmbg" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -F "image=@{local_file_path}" \
  -F "model=Ben2"
Confidence
88% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**For video:**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/vid2txt" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"video_url": "$ARGUMENTS", "include_ts": true, "model": "WhisperLargeV3"}'
Confidence
92% confidence
Finding
curl -s -X POST "https://api.deapi.ai/api/v1/client/vid2txt" \ -H "Authorization: Bearer $DEAPI_API_KEY" \ -H "Content-Type: application/json" \ -d '{"video_url": "$ARGUMENTS", "include_ts": tru

External Transmission

Medium
Category
Data Exfiltration
Content
**For video:**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/vid2txt" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"video_url": "$ARGUMENTS", "include_ts": true, "model": "WhisperLargeV3"}'
Confidence
92% confidence
Finding
https://api.deapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**For audio:**
```bash
curl -s -X POST "https://api.deapi.ai/api/v1/client/aud2txt" \
  -H "Authorization: Bearer $DEAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"audio_url": "$ARGUMENTS", "include_ts": true, "model": "WhisperLargeV3"}'
Confidence
91% confidence
Finding
https://api.deapi.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal