Miraflow
PassAudited by ClawScan on May 1, 2026.
Overview
Miraflow is a coherent instruction-only integration, but it uses a Miraflow API key and can create or upload media, so users should confirm credit-consuming actions and treat media links as sensitive.
This skill appears safe to install if you trust Miraflow and intend to use your Miraflow API key. Confirm every generation request carefully, watch for credit usage, upload only intended media files, and avoid sharing signed media URLs publicly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A confirmed creation request may consume Miraflow credits or create account media.
The skill can trigger non-idempotent, potentially credit-consuming generation calls, but it explicitly requires user confirmation and forbids automatic retries.
**Always confirm before creating.** ... **NEVER retry `POST /api/video/create` or `POST /api/image/generate`.** These are expensive, non-idempotent operations.
Review the summarized avatar, voice, prompt, script, and name before confirming any creation request.
Using the skill lets the agent make Miraflow API calls under the user's account when invoked.
A Miraflow account API key is necessary and the skill says not to hardcode it, but this credential grants account access and the registry requirements list no required credential.
Requires MIRAFLOW_API_KEY env var. ... always include `-H "x-api-key: $MIRAFLOW_API_KEY"` on every call. Never hardcode the key.
Use a limited-scope API key if Miraflow supports it, keep the key private, and monitor account activity and credits.
Images, audio, or generated videos may be transferred to Miraflow/S3, and signed URLs may temporarily grant access to the media.
The documented media workflow sends user files to external storage and returns signed URLs; this is expected for media generation but involves shareable access links.
Step 2 – Upload to S3 ... `curl -X PUT -H "Content-Type: image/png" --data-binary @image.png "$uploadUrl"` ... `downloadUrl` in video metadata is a signed S3 URL (24h TTL)
Only upload files intended for Miraflow processing and treat signed download or upload URLs as sensitive.