test-should-be-removed
v0.0.2AI image generation, editing, and background removal API via Bria.ai — authenticates via OAuth device flow and caches credentials in ~/.bria/credentials, the...
⭐ 0· 71·0 current·0 all-time
byGal Davidi@galbria
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary (curl), declared env var (BRIA_API_KEY), config path (~/.bria/credentials), SKILL.md endpoint list, and the included helper script all match an image-generation/editing/background-removal integration with Bria.
Instruction Scope
Runtime instructions explicitly read ~/.bria/credentials and expect to cache OAuth/device-flow tokens there — this is coherent with the declared config path. The SKILL.md also instructs how to run the device flow and to show a single sign-in link to the user; these are within expected scope. A small oddity: the device authorization POST shown has no client_id/payload in the excerpt (truncated), which may mean the doc is incomplete rather than malicious.
Install Mechanism
Instruction-only skill with no install spec and a single bash helper script — no downloads, no extracted archives, and no external package installs. This is low-risk from an install mechanism perspective.
Credentials
Only BRIA_API_KEY is declared as required and the skill legitimately uses a local credentials file (~/.bria/credentials). No unrelated secrets or multiple service credentials are requested.
Persistence & Privilege
always:false and no indication the skill attempts to modify other skills or system-wide configs. It reads (and the auth flow likely writes) a credentials file under the user's home directory — expected for an API client. Autonomous invocation is allowed by default but is not combined with any other concerning privileges.
Assessment
This skill appears to do what it claims: call Bria.ai image APIs using curl and a Bria API key, caching tokens in ~/.bria/credentials. Before installing, consider: 1) You must provide BRIA_API_KEY and allow the skill to read/write ~/.bria/credentials — ensure the file is stored with restrictive permissions and rotate the key if needed. 2) The helper script base64-encodes local image files into temporary files under /tmp (it attempts to delete them afterward) — be aware of sensitive image data and that abrupt termination could leave remnants. 3) The SKILL.md excerpt is truncated in places (device authorization request lacks visible parameters), so review the full authentication flow to ensure it uses the official Bria endpoints and does not leak codes or tokens elsewhere. 4) Only install if you trust the skill source; if unsure, test in an isolated environment, use a limited-scope API key, and inspect any full/remaining SKILL.md or scripts before granting credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972c9zb1d9bcc5fxrpa876fr583m1h6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼 Clawdis
Any bincurl
EnvBRIA_API_KEY
Config~/.bria/credentials
Primary envBRIA_API_KEY