babbleBrush
Security checks across static analysis, malware telemetry, and agentic risk
Overview
babbleBrush is a coherent image-editing API skill, but users should notice that it sends images to BabbleBrush and can manage BabbleBrush and provider API keys.
Install if you are comfortable giving the agent access to your BabbleBrush account and sending selected images to BabbleBrush. Be especially careful before adding Gemini or xAI provider keys, because those may incur provider billing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this key can act on the user's BabbleBrush account within the API's permissions.
The skill requires a BabbleBrush API key that gives access to the user's BabbleBrush account and API operations.
All requests require an API key sent in the Authorization header. ... Authorization: Bearer bb_...
Store BABBLEBRUSH_API_KEY securely, rotate it if exposed, and only enable this skill where account access is intended.
Adding a Gemini or xAI key may cause usage to be billed directly to the user's provider account.
The skill documents storing third-party provider API keys with BabbleBrush, which can affect billing and access to external AI provider accounts.
Add/update provider API key ... -d '{"provider": "gemini", "api_key": "AIza..."}' ... Valid providers: `gemini`, `xai`Only add provider keys when needed, verify provider billing limits, and remove keys through the documented delete endpoint if no longer required.
Images selected for editing are transmitted to BabbleBrush and may be stored as part of the canvas history.
The API supports uploading local image files to the BabbleBrush service, which is expected for image editing but should be user-directed.
Create canvas with image ... -F "image=@/path/to/image.png" ... "https://babblebrush.com/api/v1/canvases"
Avoid uploading private or sensitive images unless you are comfortable storing and processing them through BabbleBrush.
Past images, prompts, and versions may persist in the BabbleBrush account and be reused or viewed later.
The service maintains persistent edit history and versions, which means user image content and prompts may remain available across sessions.
A canvas contains multiple Canvas versions representing the edit history. The latest completed canvas version is the current image of any given canvas.
Review BabbleBrush retention and deletion controls, and do not store sensitive content unless that persistence is acceptable.