ClawHub

Civitai API

v1.0.0

Query the Civitai public REST API to search models, inspect creators, fetch model or version details, reverse-lookup models by hash, list images or tags, and...

0· 40·0 current·0 all-time
byStanislav Stankovic@stanestane
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description, SKILL.md, reference notes, and the Python script all consistently implement a client for the Civitai public REST API. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md limits workflow to searching models, versions, images, tags, reverse-hashing, and building authenticated download URLs. The bundled script follows those instructions and only accesses the workspace .env (script dir or parent) plus the environment. One operational note: the script will print download URLs and will include a ?token=... query param if a token is provided, so those outputs are sensitive and can leak the token if shared.
Install Mechanism
No install spec is provided (instruction-only with one helper script). Nothing is downloaded or written to arbitrary system locations by the skill itself.
Credentials
The skill does not declare required env vars but reasonably relies on CIVITAI_API_KEY (SKILL.md recommends storing it in .env). This is proportional to the purpose. Caution: the script loads any key=value pairs from a .env located in the skill directory or its parent and sets them into the process environment (os.environ.setdefault), so if other secrets are present in that .env they would become environment variables for the script. Also, printed download URLs may embed the token.
Persistence & Privilege
The skill does not request permanent/system-wide presence (always:false), does not modify other skills or global agent config, and only runs as invoked. Autonomous invocation is allowed by default but is normal and not a special privilege here.
Assessment
This skill appears to do what it says, but before installing: (1) avoid committing your .env to source control — store CIVITAI_API_KEY in a secure place; (2) be aware that the script will read a .env in the skill folder or parent and will set any keys it finds as environment variables — keep only the needed CIVITAI_API_KEY there; (3) treat any printed download URL (which may include ?token=...) as sensitive and do not paste it into public chat; (4) if you prefer, pass the token via the --token flag or set CIVITAI_API_KEY in your environment rather than leaving it in workspace files; (5) optionally review the script (scripts/civitai.py) locally before use to confirm network calls go to civitai.com as expected.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wn11agdhtdq048mxxxr0m584sek4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments