ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Miraflow

Create and manage AI-generated videos and images using Miraflow, including avatar videos, cinematic clips, image generation, editing, and media uploads.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 29 · 0 current installs · 0 all-time installs
by@minforge
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the Miraflow API operations you'd expect for video/image creation, status polling, media upload, and downloads. Requiring an API key (MIRAFLOW_API_KEY) is coherent with the stated purpose. However the registry metadata provided with the skill lists no required env vars or primary credential, creating a mismatch between what the skill needs and what the metadata claims.
Instruction Scope
The runtime instructions are limited to calling the miraflow.ai API, polling job status (with explicit rule to avoid tight loops), and downloading files only when requested. The SKILL.md instructs the agent to read $MIRAFLOW_API_KEY and to save downloaded MP4s to the current directory — these are expected for this functionality and do not request unrelated files, credentials, or system paths.
Install Mechanism
There is no install spec and no code files to execute locally (instruction-only), so the skill itself does not install binaries or fetch remote code. This limits on-disk risk; the main runtime activity is network calls to the Miraflow API.
!
Credentials
The SKILL.md and its embedded metadata state the skill requires MIRAFLOW_API_KEY and to include it in the x-api-key header — appropriate for the API. However the registry-level requirements listed at the top of the package report show 'Required env vars: none' and 'Primary credential: none', which is inconsistent. That mismatch means the skill may use sensitive credentials (your API key) even though the package metadata doesn't advertise it. The skill will transmit the API key to miraflow.ai (expected for this use) but you should be aware the key will be included in outbound requests.
Persistence & Privilege
The skill is not always-enabled, does not request elevated or persistent system-wide privileges, and contains no instructions to modify other skills or agent-wide configuration. Autonomous invocation is allowed (platform default) but not unusual here.
What to consider before installing
Before installing or enabling this skill: 1) Confirm the publisher/source — the package has no homepage and the 'Source' is unknown; ask for a GitHub repo or official publisher reference to verify authenticity. 2) Expect to provide MIRAFLOW_API_KEY — the SKILL.md requires it but the registry metadata omitted it; do not provide other unrelated credentials. 3) Limit scope of the API key if possible (create a key with minimal permissions or a test account) and plan to rotate it after testing. 4) Be comfortable that the agent will make outbound network requests to https://miraflow.ai and may save user-requested downloads to the current directory; run in an environment where that is acceptable. 5) If you need higher assurance, request the skill source (repo) and verify the SKILL.md matches the published manifest and that there are no hidden network endpoints. 6) If you cannot verify publisher identity or prefer not to expose an API key, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
latestvk972e3nmfmbt44r985ktasq89n83f4n1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Miraflow

Miraflow is an AI video/image platform. The API is async — creation endpoints return a jobId, then you poll for completion.

Base URL: https://miraflow.ai/api
Auth: always include -H "x-api-key: $MIRAFLOW_API_KEY" on every call. Never hardcode the key.

Full API reference: See references/api.md for endpoint details, request/response schemas, and the media upload workflow.

Rules

  • Never hardcode the API key. Always read from $MIRAFLOW_API_KEY.
  • Always use x-api-key as the header name, not Authorization.
  • After creating a video, always clearly state the jobId — the user needs it to check status.
  • Do not auto-download a video without the user asking.
  • Do not poll status in a loop. Check once, report the status, and tell the user to ask again if not ready.
  • If an API call returns an error, show the status code and error message clearly.
  • NEVER retry POST /api/video/create or POST /api/image/generate. These are expensive, non-idempotent operations. Call each creation endpoint exactly once per user request, even if the response is slow or unclear. If the call succeeds (any 2xx), stop — do not call again.
  • Always confirm before creating. Before calling any creation endpoint, summarize what will be created (avatar, voice, name, script) and wait for the user to confirm. Only proceed after explicit confirmation.

Core Workflows

List Avatars

GET /api/avatars

Present as a numbered list with avatar name and ID.

List Voices

GET /api/voices

Present as a numbered list with voice name and ID.

Create an Avatar Video (voice + script)

  1. If no avatarId given, list avatars and ask the user to pick one.
  2. If no voiceId given, list voices and ask the user to pick one.
  3. Ask for a video name if not provided.
  4. Before creating: Confirm with the user — show avatar name, voice name, video name, and script. Wait for explicit approval.
  5. Call POST /api/video/create exactly once:
{
  "avatarId": "<id>",
  "voiceId": "<id>",
  "name": "<name>",
  "text": "<script>",
  "im2vid_full": true
}
  1. Report the jobId clearly — the user needs it to check status later.
  2. Do not call create again regardless of how long the response takes. If a timeout or error occurs, report it and let the user decide whether to retry.

Note: im2vid_full: true enables full-body animation on photo avatars. Omit for head-only.

Check Video Status

GET /api/video/{jobId}/status

Translate status for the user:

  • inference_started → "Queued, not started yet"
  • inference_working → "In progress (X% complete)"
  • inference_complete → "Ready! Use the jobId to fetch the download link."
  • inference_failed → "Generation failed"
  • inference_error → "Unknown error occurred"

Fetch Video + Download Link

GET /api/video/{id}

Returns metadata including a signed downloadUrl (valid 24h). Share this directly with the user.

Download a Video

GET /api/video/{id}/download

Save the response (video/mp4) to the current directory as {video-name}.mp4. Confirm the file path when done.

Generate an AI Image

  1. POST /api/image/generate with prompt, name, optional aspectRatio (1:1 | 16:9 | 9:16 | 4:3 | 3:4)
  2. Poll GET /api/image/{jobId} until inference_complete → includes downloadUrl

Edit an Image

  1. Upload image via media upload workflow (see references/api.md)
  2. POST /api/image/edit with referenceImageMediaId, prompt, name
  3. Poll until complete

Upload Media (audio or reference images)

See references/api.md → Media Upload Workflow (initialize → PUT to S3 → finalize)

Error Handling

  • 400 — bad request, invalid params, or insufficient credits
  • 401 — missing/invalid API key (check MIRAFLOW_API_KEY)
  • 404 — resource not found

Always show the status code and full error message when an API call fails.

Credits

Created by Katie Min — designed and directed by Katie, built by Claude Code (AI coding agent by Anthropic), powered by OpenClaw.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…