Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
muapi-media-generation
v1.0.0Generate AI images, videos, music, and audio from the terminal via muapi.ai — supports 100+ models including Flux, Midjourney v7, Kling 3.0, Veo3, and Suno V5
⭐ 0· 191·0 current·0 all-time
byAnil Chandra Naidu Matcha@anil-matcha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts match the stated purpose (image/video/audio generation via api.muapi.ai). However the registry metadata declares no required env vars or binaries while SKILL.md and the scripts explicitly require MUAPI_KEY, curl, jq, and python3, and the scripts expect schema_data.json for dynamic model/endpoint resolution. The missing declarations and missing schema_data.json file are incoherent with the stated quick-start and make the package incomplete.
Instruction Scope
Runtime instructions and scripts operate within the expected domain (calling api.muapi.ai endpoints, uploading local files when requested, polling results, downloading outputs). They read and write a local .env file (storing MUAPI_KEY) and may upload any file the user supplies to the muapi.ai upload endpoint — which is expected for an upload utility but is sensitive behavior that should be explicit. The scripts also expect a local schema_data.json (not provided) which changes runtime behavior and endpoints; that external config is not declared or included.
Install Mechanism
No install spec; this is an instruction-only skill with included shell scripts. No external archives or remote downloads are performed by the skill itself at install time.
Credentials
The scripts require a MUAPI_KEY API key passed via environment or stored in a .env file, but the skill metadata did not declare this required credential or the required binaries. Requiring a single API key is proportionate for the advertised functionality, but the metadata omission is an important mismatch to surface.
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It writes a .env file and creates local output directories under relative paths; this is local persistence but limited in scope to the working directory.
What to consider before installing
This package contains working shell scripts that call api.muapi.ai and will upload any files you ask them to. Before using: (1) Do not run with sensitive files unless you trust muapi.ai — upload.sh will POST local files to api.muapi.ai. (2) The skill metadata is incomplete: MUAPI_KEY and required tools (curl, jq, python3) are required but not declared, and schema_data.json (used to map models to endpoints) is referenced by the scripts but not included. Ask the publisher for the missing schema_data.json or supply it from a trusted source. (3) Inspect the included scripts (they are visible) to confirm behavior; note they store the API key in a local .env file when using --add-key. If you proceed, set MUAPI_KEY in a controlled environment (or a credential vault) and run in an isolated/test environment first. (4) If you need higher assurance, request the publisher provide accurate metadata, include schema_data.json, or sign the package from a verifiable homepage/source before trusting real API keys.Like a lobster shell, security has layers — review code before you run it.
latestvk970s66jy2afjxnb8qcd59m9rs82tq8n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.