ClawHub

Krea.ai API

v0.2.4

Generate images via Krea.ai API (Flux, Imagen, Ideogram, Seedream, etc.)

5· 2.8k·3 current·3 all-time
byCarlos E. Barboza@fossilizedcarlos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Krea.ai image generation) align with the included code and SKILL.md: the package makes HTTPS calls to api.krea.ai endpoints, supports listed models, and exposes CLI and module usage that a Krea client would need.
Instruction Scope
SKILL.md and the code limit actions to reading a single credentials file (~/.openclaw/credentials/krea.json), performing HTTP(S) calls to api.krea.ai, listing/polling jobs, and optionally opening a browser via webbrowser.open(). There are no instructions to read unrelated files, call arbitrary subprocesses, or post data to external endpoints other than api.krea.ai (and the documented dashboard URL).
Install Mechanism
No install spec; the skill is distributed as code only and uses only Python stdlib (urllib, webbrowser). This is the lowest-risk install model given the included files.
Credentials
The skill requires API credentials stored in ~/.openclaw/credentials/krea.json (documented in SKILL.md and used by the code). This is proportionate to its purpose. However, the registry metadata summary provided earlier listed no primary credential/environment requirements — that metadata omission is inconsistent with the SKILL.md and code and should be reconciled before trusting automated tooling that relies on registry metadata.
Persistence & Privilege
The skill does not request persistent platform privileges (always is false), does not modify other skills or agent-wide settings, and operates only when invoked. It does read a credential file in the user's home directory, which is expected for API usage.
Assessment
This skill appears to be what it says: a Krea.ai client that reads a local credentials file and talks only to api.krea.ai. Before installing or running it: 1) verify the credential file path (~/.openclaw/credentials/krea.json) and ensure you only store a Krea API key there with strict permissions (chmod 600); 2) confirm the skill source (the package lists an unknown source/homepage) — prefer installing code from an official or trusted repository; 3) inspect krea_api.py (it is included) to ensure no changes were made from the reviewed copy; and 4) if you want stronger assurance, run the script in a sandboxed environment or review network traffic to confirm it only contacts api.krea.ai. Also note the registry metadata omitted the declared file-based credential — treat automated metadata as incomplete until reconciled.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4rzj6rjptvmkztbg5t18k581gw4k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments