LiblibAI Image & Video Gen
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: liblib-ai-gen Version: 1.0.0 The skill bundle provides a client for the LiblibAI API to generate images and videos. It requires API keys (`LIB_ACCESS_KEY`, `LIB_SECRET_KEY`) from environment variables, which is standard practice. The `SKILL.md` clearly outlines the skill's purpose and usage, without any prompt injection attempts to manipulate the agent for malicious actions. The `scripts/liblib_client.py` script only interacts with the `openapi.liblibai.cloud` domain, uses standard Python libraries and `requests`, and shows no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can submit media-generation jobs to LiblibAI with the content you provide.
The client sends generation requests to the LiblibAI API. This is expected for the skill's purpose, but it means user prompts and reference image URLs are transmitted to a third-party generation service and may consume account credits.
BASE_URL = "https://openapi.liblibai.cloud" ... requests.post(url, params=params, json=body, headers={"Content-Type": "application/json"}, timeout=30)Use it only with prompts and image URLs you intend to send to LiblibAI, and review costly or sensitive generation requests before running them.
The skill operates using your LiblibAI account authority and may spend credits or access generation tasks tied to that account.
The skill requires LiblibAI API credentials. This is purpose-aligned and the script uses them for signed API calls, but the registry metadata lists no required env vars or primary credential, so users may not see that credential requirement at install time.
Environment variables must be set: - `LIB_ACCESS_KEY` — API access key - `LIB_SECRET_KEY` — API secret key
Set these keys only if you trust the skill, prefer restricted or dedicated API keys if available, and rotate keys if they are shared or exposed.