v1.0.0

Don't download

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

This image API skill appears purpose-aligned, but it handles Bria credentials and its helper can forward the API key to configurable or response-provided URLs, so it should be reviewed before use.

GuidanceReview this carefully before installing. It is broadly aligned with Bria image generation/editing, but you should only use it with a Bria account and images you are comfortable sending to Bria.ai. Prefer an updated version that declares its credential requirements and validates that API-key-bearing requests only go to Bria-controlled domains.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

fetch the full agent-oriented API reference at [docs.bria.ai/llms.txt](https://docs.bria.ai/llms.txt) — it is the canonical LLM-ready documentation

The skill directs the agent to rely on remote, changeable documentation for API behavior. This is relevant to the skill's purpose, but it adds an external instruction source.

User impactFuture changes to the remote documentation could affect how the agent uses the API.

RecommendationTreat remote documentation as reference material, prefer versioned/pinned API docs where possible, and avoid letting fetched text override user intent or safety checks.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

references/code-examples/bria_client.sh

BRIA_API_BASE="${BRIA_API_BASE:-https://engine.prod.bria-api.com}" ... -H "api_token: $BRIA_API_KEY" ... "${BRIA_API_BASE}${endpoint}" ... poll=$(curl -s "$status_url" \
        -H "api_token: $BRIA_API_KEY"

The helper sends the Bria API key to a configurable base URL and later to a status_url parsed from the API response, without showing host validation that confines the credential to Bria-controlled endpoints.

User impactIf the base URL or returned status URL points somewhere unexpected, the Bria API key could be sent outside the intended service and potentially used against the user's Bria account.

RecommendationConstrain API-key-bearing requests to known Bria domains, validate status_url before polling, and declare the Bria credential requirement in metadata.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/code-examples/bria_client.sh

base64 < "$image" | tr -d '\n' >> "$payload" ... http_code=$(curl ... "${BRIA_API_BASE}${endpoint}" ... -d @"$payload")

Local image files are encoded into the request payload and posted to Bria's API. This is expected for image editing, but images may contain personal or proprietary content.

User impactImages provided to the skill may be uploaded to Bria.ai for processing.

RecommendationUse the skill only with images you are comfortable sending to Bria.ai, and review Bria's data-use and retention policies before processing sensitive images.