Back to skill
Skillv1.2.0
ClawScan security
deAPI AI Media Suite (Community) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:29 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a client for the deAPI.ai media API and do not request unrelated credentials or install arbitrary code.
- Guidance
- This skill appears to be a straightforward client for deAPI.ai. Before installing: (1) Confirm you want to share uploaded media/URLs with deapi.ai and review their privacy/policy because media is sent to that service; (2) Use a dedicated API key for this service (do not reuse high-privilege keys like cloud provider credentials); (3) Expect network traffic (curl) and possible costs tied to your deAPI account — verify pricing and rate limits; (4) Be mindful of legal/privacy implications of voice cloning/transcribing third-party content; (5) Because it's instruction-only, no bundle code will be written to disk by the skill itself, but the agent will perform network requests — inspect the repository and docs if you want additional assurance.
Review Dimensions
- Purpose & Capability
- okName/description (media generation, transcription, TTS, OCR, etc.) match the declared requirement (DEAPI_API_KEY) and the SKILL.md shows only calls to https://api.deapi.ai endpoints; nothing requests unrelated cloud credentials or system-level access.
- Instruction Scope
- okSKILL.md contains curl examples, an async submit/poll pattern, and explicit input-sanitization guidance (jq, URL/file validation). It only references user-supplied media URLs/files and the DEAPI_API_KEY; it does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec and no code files — instruction-only. That minimizes on-disk risk; the skill relies on standard CLI tools (curl, jq) which are expected for a REST-API client.
- Credentials
- okOnly DEAPI_API_KEY is required, which is appropriate for an API client. There are no additional secrets, config paths, or unrelated credentials requested.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide configuration or modify other skills. Autonomous invocation is allowed (platform default) but not combined with any excessive privileges.