Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Don't download
v1.0.0AI image generation, editing, and background removal API via Bria.ai — remove backgrounds to get transparent PNGs and cutouts, generate images from text prom...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, API reference, and helper script all describe Bria.ai image generation and background removal — that purpose is consistent with the code. However, the registry metadata lists no required environment variables or config paths, yet the SKILL.md and bria_client.sh explicitly read ~/.bria/credentials and expect BRIA_API_KEY/BRIA_ACCESS_TOKEN. The absence of declared credentials/config-path requirements in metadata is an inconsistency.
Instruction Scope
Runtime instructions and the included bash helper explicitly read ~/.bria/credentials, poll auth endpoints, write temporary JSON files to /tmp, and send images (or base64-encoded image data) to engine.prod.bria-api.com. Reading a local credentials file and using an API key is expected for an API integration, but the SKILL.md also instructs the agent how to authenticate (device flow) and to show a single sign-in link — these behaviors expand runtime scope and should be disclosed in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and one helper script. No remote downloads or install-time code execution are present, so install-time risk is low.
Credentials
The skill needs an API key (BRIA_API_KEY / BRIA_ACCESS_TOKEN) and reads ~/.bria/credentials to retrieve it — that is proportionate to calling the Bria API. However, the skill did not declare a primary credential or required env vars/config paths in its registry metadata, which is a disclosure gap. Also, the helper script assumes presence of curl, base64, sed and writes temporary files to /tmp; these runtime expectations are not declared in metadata.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist configuration beyond creating ~/.bria/credentials during device auth. No elevated persistence or cross-skill modifications observed.
What to consider before installing
This skill otherwise looks like a standard Bria.ai client, but there are disclosure gaps you should resolve before installing. Specifically:
- The SKILL.md and bria_client.sh expect an API key (BRIA_API_KEY / BRIA_ACCESS_TOKEN) and will read ~/.bria/credentials, but the registry metadata lists no required env vars or config paths — ask the publisher to update metadata to declare these explicitly.
- The helper script uses curl, base64, sed and writes temporary files to /tmp; confirm those binaries are available in the environment where the skill will run and that temporary file usage is acceptable.
- The skill will direct users to external endpoints (engine.prod.bria-api.com and platform.bria.ai/device/verify). Verify those domains are legitimate for your organization and that sending images (or base64-encoded image data) to them complies with your data policies.
- If you plan to install, put the minimum-privilege API key into a secrets manager or dedicated account, not into a broadly accessible account. Test the skill in an isolated environment first, and ask the publisher for a homepage or official source (none is provided) to validate authenticity.
If the publisher can correct metadata to list BRIA_API_KEY/BRIA_ACCESS_TOKEN and the ~/.bria credential path (and document the required local binaries), the skill would be internally coherent; until then proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk97c5y14x3gwbtzp65w50tsnm183ny4p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.