ClawHub
Back to skill
v0.2.4

Krea.ai API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

The skill is a coherent Krea.ai image-generation client; the main things to notice are its use of a local Krea API key and external API calls that may consume Krea account credits.

GuidanceBefore installing, confirm you are comfortable storing a Krea.ai API key for this skill and sending image prompts to Krea.ai. Keep the credential file permission-restricted, consider using a dedicated or revocable API key, and monitor Krea usage because generation jobs may consume credits.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
krea_api.py
BASE_URL = "https://api.krea.ai" ... req = urllib.request.Request(url, data=json.dumps(payload).encode(), method="POST")

The skill sends prompts and generation parameters to Krea.ai to create image-generation jobs. This is purpose-aligned, but users should recognize it can consume API quota or paid credits.

User impactWhen invoked, the skill can create Krea.ai generation jobs under the user's account.
RecommendationUse the skill only for prompts you intend to send to Krea.ai, and monitor Krea usage or billing if the API key has paid quota.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The provided metadata does not identify an upstream source or homepage. This is not suspicious by itself, but it reduces provenance clarity for a skill that asks for an API credential.

User impactUsers have less external context for verifying who maintains the skill or where updates originate.
RecommendationReview the included files before installing and compare the documented API behavior with Krea.ai's official documentation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
description: Krea.ai API key (format: KEY_ID:SECRET) ... file: ~/.openclaw/credentials/krea.json ... required: true

The skill requires a Krea.ai API credential stored in a local file or supplied via CLI. This is expected for the integration, but it grants access to the user's Krea account API.

User impactAnyone or anything able to read the credential file could potentially use the user's Krea API access.
RecommendationUse a dedicated Krea API key if possible, keep the file permission-restricted, avoid passing secrets on shared command lines, and revoke the key if no longer needed.