kreadoai-skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The code mostly matches the KreadoAI integration purpose, but its official-source/provenance metadata is inconsistent while it asks for a paid API token.
Before installing, verify that this package really comes from KreadoAI despite the metadata mismatch. If you proceed, use a revocable token, keep the local credential file protected, and confirm any paid media-generation or removal task before allowing the agent to run it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may configure a KreadoAI token for a package whose publisher/version lineage is unclear.
The packaged metadata conflicts with the provided registry metadata, which lists a different owner ID, slug, and version. Because the skill handles a paid API token, this provenance mismatch is material.
"ownerId": "kn7bczybw3dwrwf452ghdtzty582nxj0", "slug": "kreadoai", "version": "1.1.0"
Verify the publisher and package source against KreadoAI's official channels before configuring a token, and prefer a revocable or least-privilege token if available.
The 'Official' wording could cause users to over-trust the skill with account credentials or paid API actions.
The artifact makes an 'Official' authority claim, while the supplied metadata says the source is unknown and the packaged metadata does not match the registry metadata.
description: Official KreadoAI Skill.
Treat the official claim as unverified unless confirmed by KreadoAI, and do not enter credentials until provenance is clear.
Anyone with access to the stored token may be able to use the KreadoAI account and consume paid resources.
The skill reads a KreadoAI API token from an environment variable or local credential file and can also write that token during configuration.
1. 环境变量 KREADO_API_TOKEN ... 2. ~/.config/kreado/.credentials 文件中存储的 apiToken
Protect the credential file, avoid sharing logs or terminals containing tokens, and revoke or rotate the token if the publisher cannot be verified.
If invoked unintentionally, the skill could create tasks that cost account credits and process the submitted media URLs.
The documented API actions can submit generation/removal jobs that consume paid K-Coin balance; this is purpose-aligned but financially impactful.
K-Coin 计费:精品数字人 1/秒,臻品 2/秒,照片 1/秒,TTS 0.3/秒,字幕去除 1/秒。
Require clear user confirmation before running submit/upload/synthesize/removal commands, especially with --wait or production media.