fal-api
Pass
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: LOW
Full Analysis
- [COMMAND_EXECUTION] (LOW): The script uses subprocess.run to call the 'clawdbot' CLI for configuration retrieval. This is a framework-specific local command and is executed securely using a list of arguments, preventing shell injection.
- [EXTERNAL_DOWNLOADS] (INFO): The skill makes outbound network connections to the official fal.ai API (queue.fal.run) to process media generation requests.
- [CREDENTIALS_UNSAFE] (SAFE): API keys are managed through environment variables or local configuration tools rather than being hardcoded in the source code.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes user-provided prompt strings. While these are passed to an external API without sanitization, the response data consists of media URLs which pose a negligible risk of executing instructions in the agent context.
Audit Metadata