Miraflow
AdvisoryAudited by VirusTotal on Mar 23, 2026.
Overview
Type: OpenClaw Skill Name: miraflow Version: 1.0.3 The miraflow skill bundle is a legitimate integration for the Miraflow AI video and image platform. It follows security best practices by instructing the agent to never hardcode API keys, requiring explicit user confirmation before performing credit-consuming operations, and providing clear documentation for its API interactions (SKILL.md, references/api.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A confirmed creation request may consume Miraflow credits or create account media.
The skill can trigger non-idempotent, potentially credit-consuming generation calls, but it explicitly requires user confirmation and forbids automatic retries.
**Always confirm before creating.** ... **NEVER retry `POST /api/video/create` or `POST /api/image/generate`.** These are expensive, non-idempotent operations.
Review the summarized avatar, voice, prompt, script, and name before confirming any creation request.
Using the skill lets the agent make Miraflow API calls under the user's account when invoked.
A Miraflow account API key is necessary and the skill says not to hardcode it, but this credential grants account access and the registry requirements list no required credential.
Requires MIRAFLOW_API_KEY env var. ... always include `-H "x-api-key: $MIRAFLOW_API_KEY"` on every call. Never hardcode the key.
Use a limited-scope API key if Miraflow supports it, keep the key private, and monitor account activity and credits.
Images, audio, or generated videos may be transferred to Miraflow/S3, and signed URLs may temporarily grant access to the media.
The documented media workflow sends user files to external storage and returns signed URLs; this is expected for media generation but involves shareable access links.
Step 2 – Upload to S3 ... `curl -X PUT -H "Content-Type: image/png" --data-binary @image.png "$uploadUrl"` ... `downloadUrl` in video metadata is a signed S3 URL (24h TTL)
Only upload files intended for Miraflow processing and treat signed download or upload URLs as sensitive.