Back to skill
Skillv1.2.1
ClawScan security
Creaa Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 18, 2026, 1:53 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill’s instructions match its image/video-generation purpose, but there is an incoherence in the metadata (the SKILL.md requires a CREAA_API_KEY while the registry metadata lists no required env vars) that warrants caution before installing.
- Guidance
- This skill appears to do what it says (call Creaa.ai to generate/edit images and videos) and requires an API key. Before installing: 1) Verify the CREAA_API_KEY requirement — the SKILL.md expects it but the registry metadata lists none (contact the publisher or inspect the full SKILL.md). 2) Only provide an API key you trust and are willing to have used by the agent; requests will include the Bearer token to creaa.ai endpoints and any images you supply will be uploaded to that service. 3) Avoid sending sensitive images or private data through the skill. 4) If you install, consider testing in a sandbox account and be prepared to rotate/revoke the API key if you see unexpected behavior. 5) If you want to prevent autonomous invocation, disable model invocation or decline installing the skill until the metadata inconsistency is fixed.
Review Dimensions
- Purpose & Capability
- noteThe name, description, and the SKILL.md all describe Creaa.ai image/video generation and show exact curl calls to https://creaa.ai/api/..., which is coherent with the claimed purpose. The skill legitimately needs an API key for Creaa.ai according to SKILL.md.
- Instruction Scope
- okSKILL.md only instructs the agent to call Creaa.ai endpoints (image/video generate/edit, task polling) using a Bearer token. It does not direct reading unrelated files, system paths, or sending data to third-party endpoints outside creaa.ai. The content is narrowly scoped to the stated functionality.
- Install Mechanism
- okThis is instruction-only (no install spec, no code files). That minimizes disk writes and installation-side risks.
- Credentials
- concernThe SKILL.md declares a required environment variable CREAA_API_KEY (primaryEnv) which is appropriate for an API-backed image/video service. However, the registry metadata provided with the skill lists no required env vars — an inconsistency. That mismatch could be a packaging/manifest bug (sloppy) or could cause the platform to not surface the credential requirement properly; either way it is unexplained and should be resolved before trusting the skill.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. disable-model-invocation is false (default) allowing autonomous invocation — this is normal for skills and not, by itself, a problem. There is no request to modify other skills or system-wide settings.