ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Phaya Media API

v1.0.2

Use the Phaya SaaS backend to generate images, videos, audio, music, and run LLM chat completions via simple REST API calls. Use when the user wants to gener...

0· 321·1 current·1 all-time
by@boombignose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Phaya Media API for images/video/audio/LLM) align with the instructions and examples, and the requested binaries (curl/python3) and optional tools (ffmpeg, yt-dlp) are appropriate for the described features. However, the top-level registry metadata in the provided summary claims no required env vars / primary credential while SKILL.md and clawhub.json both declare PHAYA_API_KEY and PHAYA_BASE as required — this manifest mismatch is inconsistent and may cause confusion or misconfiguration.
Instruction Scope
SKILL.md contains explicit REST call patterns, polling logic, and examples that stay within the declared purpose. It directs the agent to use PHAYA_API_KEY and PHAYA_BASE, to poll job status, and to optionally use local ffmpeg for a small subset of features. There are no instructions to read unrelated system files, harvest other env vars, or exfiltrate data to unexpected endpoints.
Install Mechanism
This is instruction-only (no install spec, no code files executed locally). That is the lowest-risk install pattern for this functionality.
Credentials
The only credentials the skill needs (per SKILL.md and clawhub.json) are PHAYA_API_KEY and PHAYA_BASE — these are proportional to a remote API integration and are justified by the service description. The concern is the packaging inconsistency: the top-level requirement summary reported 'Required env vars: none' and 'Primary credential: none', which contradicts the rest of the package. Verify which metadata the platform will enforce before enabling the skill.
Persistence & Privilege
The skill does not request always=true, has no install-time persistence, and uses normal agent invocation semantics. No elevated or system-wide privileges are requested.
Scan Findings in Context
[no_regex_findings] expected: The package is instruction-only and the static regex scanner found no code to analyze. Absence of findings is expected but does not substitute for manual review of SKILL.md and examples.
What to consider before installing
This skill appears to legitimately wrap a paid media-generation REST API and only needs an API key and base URL — which is proportionate. However, the published package metadata is inconsistent: the summary lists no required env vars while SKILL.md and clawhub.json clearly require PHAYA_API_KEY and PHAYA_BASE. Before enabling/installing: (1) confirm the platform will prompt you to supply PHAYA_API_KEY and PHAYA_BASE (and that the key is scoped/limited), (2) create a scoped/test API key with a small credit balance for initial testing, (3) review billing/credit rates in SKILL.md to avoid surprise charges, (4) if you want to limit risk, restrict or disable autonomous invocation for this skill until you’ve tested it, and (5) verify the PHAYA_BASE endpoint you configure is trusted (ensure it is the official host you intend). If the platform uses the incorrect top-level metadata (no required creds), the agent may fail to authenticate — ask the skill author or registry maintainer to fix the manifest inconsistency before broad use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crsv8yhfssd52dyznndkhgn82ry1v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
OSLinux · macOS · Windows
Any bincurl, python3

Comments