ClawHub
Back to skill
v1.0.0

Don't download

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:29 AM.

Analysis

The Bria image API behavior is mostly purpose-aligned, but the package identity/provenance is inconsistent and the helper handles Bria credentials in ways users should review before installing.

GuidanceReview this skill before installing. Only use it if you trust the publisher and intended Bria integration, keep BRIA_API_BASE at the default Bria endpoint, and avoid uploading private images unless you are comfortable sharing them with Bria.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceMediumStatusConcern
metadata
Name: Don't download; Source: unknown; Slug: gal-test; Version: 1.0.0

The public package identity and provenance are unclear and inconsistent with the Bria-branded skill content, which matters because the skill asks for a Bria API credential.

User impactA user may believe they are installing an official or production Bria integration when the package identity does not clearly support that.
RecommendationVerify the publisher/source and confirm this is the intended Bria skill before providing BRIA_API_KEY or using the device authorization flow.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
references/code-examples/bria_client.sh
BRIA_API_BASE="${BRIA_API_BASE:-https://engine.prod.bria-api.com}" ... -H "api_token: $BRIA_API_KEY" ... curl -s "$status_url" \
        -H "api_token: $BRIA_API_KEY"

The helper sends the Bria API key to a configurable base URL and later to whatever status_url is returned, without visible validation that the destination remains a Bria-controlled host.

User impactIf the base URL or returned status URL is not the expected Bria endpoint, the API key could be sent to an unintended server.
RecommendationDo not override BRIA_API_BASE unless you fully trust the endpoint, and update the helper to validate status_url hosts before attaching the API key.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
references/code-examples/bria_client.sh
base64 < "$image" | tr -d '\n' >> "$payload" ... curl ... "${BRIA_API_BASE}${endpoint}" ... -d @"$payload"

Local image files can be encoded into the request payload and sent to the external Bria API, which is expected for image editing but still moves user content outside the local environment.

User impactImages, prompts, and edits submitted through the skill are shared with the Bria API provider.
RecommendationUse the skill only for images you are allowed to upload to Bria and review Bria's data handling terms for sensitive or private content.