muapi-media-generation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its media-generation purpose, but it needs review because its shell scripts automatically source a local .env file as executable shell code and persist/use a MUAPI API key.
Install only if you are comfortable sending prompts and selected media files to muapi.ai. Store MUAPI_KEY carefully, do not run these scripts from untrusted directories containing a .env file, and verify the missing schema_data.json/dependency setup before use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill from a directory containing an unsafe .env file could execute unintended local commands with the user's permissions.
Sourcing .env runs it as shell code from the current working directory, which is more powerful than simply reading an API key and can execute unexpected commands if the file is malicious or untrusted.
if [ -f ".env" ]; then source .env 2>/dev/null || true; fi
Load only the MUAPI_KEY value safely instead of sourcing the whole .env file, and avoid running the scripts from untrusted directories.
Anyone or any process with access to that .env file may be able to use the user's muapi.ai API key.
The skill can save a provider API key into a local plaintext .env file for later use.
echo "MUAPI_KEY=$KEY_VALUE" >> .env
Prefer a protected environment variable or secret manager, ensure .env is not committed or shared, and restrict file permissions.
Files chosen for upload leave the local machine and may be stored or served by the provider.
The upload helper sends a user-selected local file to the muapi.ai API/CDN using the user's API key.
RESP=$(curl -s -X POST "${MUAPI_BASE}/upload_file" -H "x-api-key: $MUAPI_KEY" -F "file=@${FILE}")Only upload files you intend to send to muapi.ai, and review the provider's retention and sharing behavior.
Some generation commands may fail or rely on an external schema file that was not included in the reviewed manifest.
The image and video generation scripts depend on a schema_data.json file outside the listed skill files, creating a packaging/provenance and reliability gap.
SCHEMA_FILE="$(dirname "$0")/../../schema_data.json"
Bundle or clearly declare schema_data.json and the required runtime dependencies in the skill metadata.