Back to skill
Skillv1.0.2
ClawScan security
Krea AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:24 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose: it only needs a KREA_API_TOKEN and instructs the agent to call Krea.ai endpoints to generate images and return URLs.
- Guidance
- This skill appears coherent, but consider these practical points before installing: - Treat KREA_API_TOKEN as a secret: provide a token with the minimum necessary scope and rotate it if compromised. - Any prompt text is sent to Krea.ai; avoid including private credentials or sensitive PII in prompts because data will leave your environment. - The skill returns direct URLs to generated images; verify Krea.ai's retention and sharing policies if you need confidentiality. - Monitor usage and quotas (rate limits and compute units) to avoid unexpected charges. - Because this is instruction-only, review the SKILL.md if it changes in future versions; malicious behavior could be introduced in updated instructions even without code files. - Autonomous invocation is enabled by default on the platform — if you want to restrict automatic use, control the agent's skill permissions or only invoke the skill manually.
Review Dimensions
- Purpose & Capability
- okName/description say 'generate images via Krea.ai' and the SKILL.md only requires a single KREA_API_TOKEN and describes calling https://api.krea.ai endpoints. Requested capability (API token) matches the declared purpose and nothing extraneous (no cloud keys, no unrelated services) is required.
- Instruction Scope
- okSKILL.md contains step-by-step instructions to POST jobs to Krea endpoints, poll job status, handle rate limits/429s, extract result.urls and return them. It does not instruct reading local files, other environment variables, or sending data to third-party endpoints beyond api.krea.ai. The behavior described stays within image-generation scope.
- Install Mechanism
- okThere is no install specification and no code files—this is an instruction-only skill. Nothing is downloaded or written to disk by the skill itself, which minimizes install risk.
- Credentials
- okOnly KREA_API_TOKEN is required and it's declared as the primary credential. That single secret is proportionate for an API client. The SKILL.md does not reference any additional env vars or secrets.
- Persistence & Privilege
- okalways:false (default) and the skill is user-invocable. It does not request persistent/always-on presence nor modify other skills or system-wide configuration. Autonomous invocation is allowed by platform default but is not combined with additional red flags here.