Back to skill
Skillv1.0.1
ClawScan security
Ultimate AI Media Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 1:56 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required inputs are coherent with a CyberBara-backed image/video generation CLI: it asks for an API key (optional via env/interactive), talks to cyberbara.com, and saves generated media locally — nothing requested appears disproportionate to the stated purpose.
- Guidance
- This skill appears internally consistent: it implements a CLI that talks to CyberBara (https://cyberbara.com), requires a provider API key, saves that key under ~/.config/cyberbara/api_key, and downloads media URLs returned by the service into your media_outputs directory. Before installing: 1) only provide an API key you trust to this third-party service and verify the domain; 2) inspect the cyberbara_client gateway code (not shown in the truncated listing) if you want assurance about exact HTTP endpoints/headers it uses; 3) be aware downloaded media files will be opened automatically by default (you can disable saving/opening via flags); and 4) if you plan to run this in an automated/privileged agent, remember it will perform network calls to the provider and could consume account credits. If any of these behaviours are unacceptable, do not install or run until you audit the client implementation and verify the provider.
Review Dimensions
- Purpose & Capability
- okName/description describe model-backed image/video generation. The bundle includes a CLI, prompt/workflow templates, credit-quote/polling flow, and client gateway code that targets CyberBara endpoints (base URL fixed to https://cyberbara.com). Required artifacts (API key, upload + generate + poll) align with this purpose.
- Instruction Scope
- okSKILL.md and CLI instruct only on discovering models, quoting credits, uploading images, submitting generation tasks, polling for results, saving outputs, and persisting an API key under ~/.config/cyberbara/api_key. There are no instructions to read arbitrary system files, sweep environment variables beyond CYBERBARA_API_KEY, or exfiltrate unrelated data.
- Install Mechanism
- okNo install spec is provided (instruction-only install). The package contains Python source files which are intended to be run locally (python3 scripts/cyberbara_api.py). This is low risk in the sense that no remote installer/unknown URL downloads are configured by the skill itself.
- Credentials
- okThe only credential surface is CyberBara API key (supported via --api-key, CYBERBARA_API_KEY env var, or local cache). That matches the described need to call the provider API. No unrelated secrets or multiple external credentials are requested.
- Persistence & Privilege
- okThe skill persists only its own API key to ~/.config/cyberbara/api_key (and masks it in CLI output). It does not request 'always' inclusion and does not modify other skills or system-wide agent configuration.