Phosor AI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to be a coherent Phosor AI video-generation client, but users should notice that it uses a billable API key, uploads media/model files, and can manage/delete Phosor assets.
This looks safe to use for its stated purpose if you trust Phosor AI. Before installing, understand that generated videos cost credits, uploaded images and LoRA files are sent to Phosor, and the API key should be protected. Keep PHOSOR_BASE_URL unset or pointed to `https://phosor.ai`, and confirm any submit or delete action before running it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this key can submit Phosor API requests that may consume credits.
The skill requires a Phosor API key that authenticates account actions and charges usage to the user's account.
Keep your API key secret. Do not commit it to version control or share it publicly. All API calls are authenticated and billed through this key.
Use a dedicated Phosor API key if possible, keep it out of logs and shared files, and revoke or rotate it if exposed.
Accidental or repeated job submissions could consume Phosor credits.
Submitting video-generation jobs is the intended purpose, but it is a billable action.
Credits are pre-deducted on submit. On failure/timeout, credits are automatically refunded.
Confirm prompts, resolution, frame count, and LoRA usage before submitting jobs, especially for higher-cost settings.
A mistaken delete command could remove a custom LoRA asset from the Phosor account.
The skill documents an account-mutating command for deleting a LoRA model. This is relevant to the stated LoRA-management purpose but should be user-directed.
`delete-lora <lora_id>` — Delete a LoRA model
Only run deletion commands after confirming the exact LoRA ID and that deletion is intended.
Private photos, prompts, or custom model files may be sent to Phosor when those commands are used.
The skill intentionally transfers local images and LoRA model files to the Phosor service for processing.
`upload-image <file>` — Upload image for I2V ... `upload-lora <high_noise_file> <low_noise_file>` — Upload LoRA
Upload only media and model files you are comfortable processing through Phosor, and avoid sensitive personal or proprietary content unless appropriate.
If PHOSOR_BASE_URL is set incorrectly or maliciously, authenticated requests and uploaded content could go to the wrong HTTPS endpoint.
The client supports overriding the API base URL. The visible code requires HTTPS, but the API key is sent to the configured base URL.
PHOSOR_BASE_URL — Base URL override (default: https://phosor.ai)
Leave PHOSOR_BASE_URL unset or set it only to `https://phosor.ai`; do not use untrusted API endpoints.
Users have less external provenance information to validate who published the client and whether it matches an official Phosor release.
The registry metadata does not identify a verified source repository or provenance for the skill.
Source: unknown
Prefer installing from a trusted registry entry and compare the homepage or official documentation if provenance matters for your environment.