Sogni Gen
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its Sogni image/video purpose, but a scan found a possible built-in Sogni API key, so review the source before trusting it with your account or media.
Before installing, inspect the reported SOGNI_API_KEY location in sogni-gen.mjs and use your own Sogni credentials only through the documented env vars or credentials file. Be mindful that prompts and selected reference media are sent to Sogni, and disable MCP downloads if you do not want result copies saved locally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests could use or expose an unintended Sogni credential if the scan reflects an actual literal key.
The skill legitimately needs user-provided Sogni credentials, but a hardcoded API key in source would be an unintended credential boundary issue and could cause use of an unexpected account or expose a real key.
Static scan at sogni-gen.mjs:1843: `SOGNI_API_KEY: [REDACTED]`
Review the source around the reported line, remove any literal API key, rotate any exposed key, and rely only on user-provided environment variables or the documented credentials file.
Personal photos, audio, or videos you choose as references may leave your device and generation may consume Sogni tokens.
The tool accepts local image, audio, and video files for editing, photobooth, and video workflows; this is central to the skill but means selected local media can be sent to Sogni.
`node sogni-gen.mjs --photobooth --ref face.jpg ...` and `node sogni-gen.mjs --video --ref-audio song.mp3 ...`
Only provide media files you are comfortable uploading to Sogni, and confirm token/cost-sensitive requests before running them.
Installing the skill can fetch and run third-party npm packages needed by the Sogni CLI/MCP server.
Installation may execute npm dependency installation from the package manifest; this is normal for a Node-based runtime, but it introduces dependency provenance risk.
command: "cd {{skillDir}} && cp skill-package.json package.json && npm i"Install from the trusted publisher/source, prefer pinned or locked dependencies where possible, and review dependency changes on updates.
Prompts, seeds, URLs, or file references from prior renders may remain on disk and influence later generation requests.
The skill stores render metadata and can reuse the last image or seed in later runs; this persistence is disclosed and purpose-aligned.
Last render metadata (read/write): `~/.config/sogni/last-render.json` ... `--last-image`
Review or delete the last-render file if prior outputs should not be reused, and avoid storing sensitive prompts or media references.