v1.0.2

Phosor AI

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This skill appears to be a coherent Phosor AI video-generation client, but users should notice that it uses a billable API key, uploads media/model files, and can manage/delete Phosor assets.

GuidanceThis looks safe to use for its stated purpose if you trust Phosor AI. Before installing, understand that generated videos cost credits, uploaded images and LoRA files are sent to Phosor, and the API key should be protected. Keep PHOSOR_BASE_URL unset or pointed to `https://phosor.ai`, and confirm any submit or delete action before running it.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

references/api.md

Credits are pre-deducted on submit. On failure/timeout, credits are automatically refunded.

Submitting video-generation jobs is the intended purpose, but it is a billable action.

User impactAccidental or repeated job submissions could consume Phosor credits.

RecommendationConfirm prompts, resolution, frame count, and LoRA usage before submitting jobs, especially for higher-cost settings.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

`delete-lora <lora_id>` — Delete a LoRA model

The skill documents an account-mutating command for deleting a LoRA model. This is relevant to the stated LoRA-management purpose but should be user-directed.

User impactA mistaken delete command could remove a custom LoRA asset from the Phosor account.

RecommendationOnly run deletion commands after confirming the exact LoRA ID and that deletion is intended.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown

The registry metadata does not identify a verified source repository or provenance for the skill.

User impactUsers have less external provenance information to validate who published the client and whether it matches an official Phosor release.

RecommendationPrefer installing from a trusted registry entry and compare the homepage or official documentation if provenance matters for your environment.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Keep your API key secret. Do not commit it to version control or share it publicly. All API calls are authenticated and billed through this key.

The skill requires a Phosor API key that authenticates account actions and charges usage to the user's account.

User impactAnyone or any agent using this key can submit Phosor API requests that may consume credits.

RecommendationUse a dedicated Phosor API key if possible, keep it out of logs and shared files, and revoke or rotate it if exposed.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

scripts/phosor_client.py

PHOSOR_BASE_URL — Base URL override (default: https://phosor.ai)

The client supports overriding the API base URL. The visible code requires HTTPS, but the API key is sent to the configured base URL.

User impactIf PHOSOR_BASE_URL is set incorrectly or maliciously, authenticated requests and uploaded content could go to the wrong HTTPS endpoint.

RecommendationLeave PHOSOR_BASE_URL unset or set it only to `https://phosor.ai`; do not use untrusted API endpoints.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

`upload-image <file>` — Upload image for I2V ... `upload-lora <high_noise_file> <low_noise_file>` — Upload LoRA

The skill intentionally transfers local images and LoRA model files to the Phosor service for processing.

User impactPrivate photos, prompts, or custom model files may be sent to Phosor when those commands are used.

RecommendationUpload only media and model files you are comfortable processing through Phosor, and avoid sensitive personal or proprietary content unless appropriate.