superx-art-api
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent SuperX media-generation wrapper, but it includes unsafe API-key handling instructions that could expose your key and spend account credits.
Only use this skill if you trust SuperX and are comfortable sending prompts and selected image URLs to its API. Avoid running `echo $SUPERX_API_KEY`, store the key securely, and ask the agent to confirm any paid generation cost before it calls the API.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your SuperX API key could be revealed in the chat or tool transcript, letting anyone with access to it use your account credits.
This directs the agent to use an account API key from the environment without prompting and to print the variable's value when checking for it, which can expose the secret in terminal output or logs.
Check environment variable `SUPERX_API_KEY` — use it silently if set ... To check if the env var exists, run: `echo $SUPERX_API_KEY`
Do not echo the key. The skill should declare the credential in metadata and check only for presence with a non-printing command, then ask before using a stored key.
A generation request may consume SuperX account points, especially for videos or multiple outputs.
The documented workflow uses Bash/curl to call provider endpoints and presents cost after execution; this is aligned with the skill purpose but users should be aware of point-consuming actions.
2. **Check balance first** — call `/balance` to make sure the user has enough points ... 5. **Make the call** — execute via curl ... 6. **Present results** — show the full image/video URL, the cost, and any relevant metadata
Have the agent show the endpoint, parameters, and estimated cost before making paid generation calls, and keep requests scoped to the user's prompt.