ZenMux Media Gen
Analysis
This appears to be a straightforward ZenMux media-generation skill that uses your ZenMux API key to send prompts to ZenMux and save generated media, with no artifact evidence of hidden or unrelated behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
requests.post(url, headers=headers, json=data, timeout=120) ... with open(out, "wb") as f: f.write(img_data)
The CLI makes generation requests and writes downloaded media to local output files; this is core to the skill but should be used with deliberate prompts and safe output paths.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
ZENMUX_API_KEY = os.environ.get("ZENMUX_API_KEY") ... "Authorization": f"Bearer {ZENMUX_API_KEY}"The helper reads the ZenMux API key from the environment and uses it as a bearer token for ZenMux API requests, which is expected for this integration.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
data = {"model": model, "messages": [{"role": "user", "content": prompt}], "modalities": ["image"]}User prompts are sent to the external ZenMux API as part of normal image/video generation.