fal
Security checks across malware telemetry and agentic risk
Overview
This is a coherent fal.ai helper, but it will use a fal API key, make network requests, upload selected files, and save generated outputs locally.
This skill appears purpose-aligned for fal.ai media generation. Before installing, be comfortable with setting a FAL_KEY, letting the agent call fal.ai APIs, potentially spending fal credits, uploading chosen files to fal's CDN, and storing generated media under your home directory.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make network requests and create/download files while using this skill, including fal job submissions that may consume API quota or credits.
The skill exposes raw curl/jq/mkdir and file read/write tools. The documented commands use them for fal.ai API workflows, so this is purpose-aligned but broader than a domain-scoped integration.
allowed-tools: Bash(curl *), Bash(jq *), Bash(mkdir *), Read, Write
Use it for explicit fal.ai tasks, review model IDs and parameters, and question any unexpected curl command to a non-fal.ai domain or unrelated file operation.
Requests made by the skill may use your fal.ai account quota or billing and depend on the permissions of the API key.
The skill uses the user's fal.ai API key to authenticate requests. This is expected for the integration, but it gives the agent delegated access to the fal account.
Requires `FAL_KEY` environment variable ... -H "Authorization: Key $FAL_KEY"
Use a dedicated or least-privileged fal.ai key if available, keep it out of shared logs, and rotate it if it is exposed.
Any file you ask the skill to upload is transferred to an external provider and may be accessible through the returned URL according to fal.ai's handling of uploads.
The upload command sends a local file chosen by path to fal's external CDN and returns a URL for later model requests.
Upload file `$1` to fal CDN: curl -s -X POST "https://fal.run/fal-ai/storage/upload" ... -F "file=@$1"
Only upload files you intend to share with fal.ai, double-check file paths, and avoid uploading private or sensitive media unless you understand the provider's retention and access policies.
It may be harder to confirm who maintains this skill or whether it matches an official upstream project.
The registry metadata does not provide a source repository or homepage, which limits independent verification of package provenance.
Source: unknown; Homepage: none
If provenance matters, verify the publisher and compare the skill contents with a trusted fal.ai-maintained source before installing.