multimodal-gen
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of
subprocess.runto orchestrate its workflow. Ingenerate.py, it calls other Python scripts (prompt_optimizer.py,generate_image.py,generate_video.py) usingpython3. Additionally, all script components (generate_image.py,generate_video.py,prompt_optimizer.py) execute thepasscommand-line utility to retrieve API keys from the local system's credential store. - [EXTERNAL_DOWNLOADS]: The skill performs network operations using the
requestslibrary to interact with an external API service atxingjiabiapi.com. It downloads media content (images and videos) from remote URLs returned by this API, including those hosted ons3.ffire.ccor other dynamically parsed links. These downloads are saved directly to the user's home directory under~/clawd/output/. - [CREDENTIALS_UNSAFE]: The skill is designed to programmatically access the system's
passpassword manager to fetch theapi/xingjiabiapisecret. While this avoids hardcoding keys, it establishes a pattern of the agent accessing sensitive system credentials during execution. - [DATA_EXFILTRATION]: User-provided prompts and descriptions are transmitted to the external domain
xingjiabiapi.comfor the purposes of prompt optimization and media generation. While this is the intended function of the skill, it involves sending potentially sensitive user data to a third-party service.
Audit Metadata