Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
muapi-media-editing
v1.0.0Edit and enhance images and videos with AI via muapi.ai — prompt-based editing, upscaling, background removal, face swap, lipsync, video effects, and more
⭐ 0· 195·0 current·0 all-time
byAnil Chandra Naidu Matcha@anil-matcha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill advertises muapi.ai image/video editing and the scripts call https://api.muapi.ai, which is consistent. However the registry metadata declares no required env vars or binaries while SKILL.md and the scripts require MUAPI_KEY and tools (curl, jq, python3) — a clear mismatch. edit-image.sh also expects an external 'muapi' CLI and calls ../media/upload.sh and check-result.sh (not present in the bundle), so the shipped files + metadata are incomplete for the stated capability.
Instruction Scope
The runtime scripts do what the README says: upload files and POST to muapi.ai endpoints for edits, upscales, face-swap, lipsync, etc. They will auto-upload local files when you pass --file and will save a provided API key into a .env file in the current directory. They do not attempt to read unrelated system files or other credentials, but they do transmit user media (including face images/videos) to an external API — this is expected for the feature but privacy-sensitive.
Install Mechanism
There is no install spec (instruction-only with shell scripts). No downloads or remote installers are performed by the skill itself. The scripts make network requests to api.muapi.ai (expected), which is the primary runtime network activity.
Credentials
The scripts require MUAPI_KEY (used in x-api-key header) but the registry metadata did not declare any required env vars or primary credential. The skill writes MUAPI_KEY into a .env file when run with --add-key, which is persistent on disk and may be surprising. Aside from MUAPI_KEY and typical CLI tools, no unrelated secrets are requested.
Persistence & Privilege
always:false (normal). The scripts persist the API key to a local .env file in the current working directory — a modest persistence and privacy consideration but not a global privilege escalation. The skill does not modify other skills or system-wide configuration.
What to consider before installing
This skill appears to implement the advertised muapi.ai editing features, but the package is sloppy: the registry metadata doesn't list the MUAPI_KEY and required binaries (curl, jq, python3, possibly a 'muapi' CLI), and some helper scripts referenced by the code (e.g., ../media/upload.sh, check-result.sh) are not included. Before using: 1) verify and obtain a MUAPI_KEY only if you trust api.muapi.ai; 2) inspect and run the scripts in an isolated environment (container or VM); 3) be aware the scripts will upload any local media you pass (including faces) to the external service — avoid uploading private/sensitive material; 4) note that the key is saved to a .env file in the working dir if you use --add-key; store keys securely and delete .env if undesired; 5) consider contacting the skill author or source to get a完整 package or correct registry metadata and confirm the missing helper scripts and CLI dependency. If you need help checking the muapi.ai domain or sanitizing the package, gather the missing files or a trusted upstream repo and re-run evaluation.Like a lobster shell, security has layers — review code before you run it.
latestvk97fw4x4hqw1r775mcht2gfmys82tkng
License
MIT-0
Free to use, modify, and redistribute. No attribution required.