Don't download

v1.0.0

Remove image background to transparent PNG. Powered by RMBG-2.0, commercially-safe model. Extract subjects for overlays, product photography, logos, and cuto...

⭐ 0· 204·0 current·0 all-time

by@levdavid1

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for levdavid1/test-skill-1.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Don't download" (levdavid1/test-skill-1) from ClawHub.
Skill page: https://clawhub.ai/levdavid1/test-skill-1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install test-skill-1

ClawHub CLI

Package manager switcher

npx clawhub@latest install test-skill-1

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill claims to remove image backgrounds and its runtime instructions call the Bria image API — that is coherent. However the skill accesses a local credentials file (~/.bria/credentials) and writes a persistent API token there even though 'required config paths' were not declared in the metadata. Declaring config paths or required env vars would be expected for a skill that stores credentials.

Instruction Scope

The SKILL.md instructs the agent to read and write ~/.bria/credentials and to perform a device-auth flow (polling the auth server). It also tells the operator to upload local images to 'a hosting service' but does not specify one — this vagueness could cause images to be uploaded to arbitrary third-party hosts, risking data exposure. The instructions also assume curl and python3 are available and include loops that poll external endpoints.

✓

Install Mechanism

No install spec or code files are present (instruction-only), so nothing will be written to disk by an installer. This is lower risk than skills that download and install binaries.

ℹ

Credentials

The skill does not declare required environment variables, yet it reads/uses BRIA_AUTH_SERVER (with a default) and expects to set/use BRIA_API_KEY (persisted to disk). It does not request unrelated credentials. The missing declaration of the credential path and env usage is a proportionality / transparency issue.

ℹ

Persistence & Privilege

The skill persists an API token to ~/.bria/credentials, giving it ongoing access to the Bria API until that file is removed. The skill does not request 'always: true' or other elevated platform privileges and does not modify other skills, but persistent token storage is a lasting presence worth noting.

What to consider before installing

This skill appears to do what it says (remove image backgrounds), but take these precautions before installing or using it: - Confirm the auth server and API endpoints (metadata lists https://auth.bria.ai and engine.prod.bria-api.com). If the sources/homepage are unknown, verify them independently. - Be aware it will create and store a token at ~/.bria/credentials. If you don't want long-lived credentials on disk, do not authenticate or remove the file after use. - The skill tells you to upload local images to an unspecified hosting service. That step could leak private images if you choose an untrusted host — decide which host to use or refuse to upload sensitive files. - It requires network access to the Bria endpoints and will poll the auth server during device authorization; review network policies or run in a sandbox if you need isolation. - If you want more assurance, request the skill author/publisher, a homepage or repository link, and a declaration of required config paths/env vars. If those are missing or the author is unknown, treat the skill more cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk978d1jbr4jx49kxz9whgz80rn835t87

204downloads

0stars

1versions

Updated 22h ago

v1.0.0

MIT-0

Remove Background — Transparent PNG with AI

Remove image backgrounds to produce a transparent PNG. Uses Bria's RMBG-2.0 model — commercially safe and production ready.

Setup — Authentication

Before making any API call, you need a valid Bria access token.

Set the auth server URL from the metadata above (or override if instructed):

BRIA_AUTH_SERVER="${BRIA_AUTH_SERVER:-https://auth.bria.ai}"

Step 1: Check for existing credentials

if [ -f ~/.bria/credentials ]; then
  BRIA_API_KEY=$(python3 -c "import json; print(json.load(open('$HOME/.bria/credentials'))['access_token'])" 2>/dev/null)
fi
if [ -z "$BRIA_API_KEY" ]; then
  echo "NO_CREDENTIALS"
else
  echo "BRIA_API_KEY is set"
fi

If the output is BRIA_API_KEY is set, skip to Remove Background below. If the API key is rejected by the Bria API later, delete ~/.bria/credentials and restart from Step 2.

Step 2: Authenticate via device authorization

If no credentials are found, start the device authorization flow.

2a. Request a device code:

DEVICE_RESPONSE=$(curl -s -X POST "$BRIA_AUTH_SERVER/device/authorize" \
  -H "Content-Type: application/json")
echo "$DEVICE_RESPONSE"

Parse the response fields:

device_code — used to poll for the token (keep this, don't show to user)
user_code — the code the user must enter (e.g. BRIA-XXXX)
verification_uri — the URL the user must visit
interval — seconds between poll attempts

2b. Show the user the code and link. Tell them:

To connect your Bria account, open this link and enter the code shown: {verification_uri_complete}

Or go to {verification_uri} and enter code: {user_code}

2c. Poll for the token. After showing the user the code, immediately start polling. Try up to 60 times with the given interval (default 5 seconds):

for i in $(seq 1 60); do
  TOKEN_RESPONSE=$(curl -s -X POST "$BRIA_AUTH_SERVER/token" \
    -d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
    -d "device_code=$DEVICE_CODE")
  ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "" ]; then
    # Resolve the bearer token to a real Bria API key via introspection
    INTROSPECT=$(curl -s -X POST "$BRIA_AUTH_SERVER/token/introspect" \
      -d "token=$ACCESS_TOKEN")
    REAL_API_KEY=$(echo "$INTROSPECT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('api_token',''))" 2>/dev/null)
    if [ -n "$REAL_API_KEY" ] && [ "$REAL_API_KEY" != "" ]; then
      BRIA_API_KEY="$REAL_API_KEY"
    else
      BRIA_API_KEY="$ACCESS_TOKEN"
    fi
    mkdir -p ~/.bria
    python3 -c "
import json
with open('$HOME/.bria/credentials','w') as f:
    json.dump({'access_token':'$BRIA_API_KEY'},f)
"
    echo "AUTHENTICATED"
    break
  fi
  sleep 5
done

If the output contains AUTHENTICATED, proceed. Otherwise the code expired — start over from Step 2a.

Do not proceed with any API call until authentication is confirmed.

Remove Background

Remove the background from any image, returning a transparent PNG.

The image parameter must be a publicly accessible URL. If the user provided a local file, upload it to a hosting service first or ask for a URL.

RESULT=$(curl -s -X POST "https://engine.prod.bria-api.com/v2/image/edit/remove_background" \
  -H "api_token: $BRIA_API_KEY" \
  -H "Content-Type: application/json" \
  -H "User-Agent: BriaSkills/1.0.0" \
  -d "{\"image\": \"$IMAGE_URL\"}")
echo "$RESULT"

The response contains result_url — a PNG with transparent background. Show this URL to the user.

If the response contains a status_url instead, the job is processing asynchronously. Poll it:

STATUS_URL=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status_url',''))" 2>/dev/null)
if [ -n "$STATUS_URL" ]; then
  for i in $(seq 1 30); do
    POLL=$(curl -s "$STATUS_URL" -H "api_token: $BRIA_API_KEY")
    IMAGE_URL_RESULT=$(echo "$POLL" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('result',{}).get('image_url',d.get('result_url','')))" 2>/dev/null)
    if [ -n "$IMAGE_URL_RESULT" ] && [ "$IMAGE_URL_RESULT" != "" ]; then
      echo "DONE: $IMAGE_URL_RESULT"
      break
    fi
    sleep 3
  done
fi

Comments

Loading comments...