Generate and edit images and videos using WaveSpeed AI's 700+ model library. Use when the user wants to generate images from text prompts (FLUX, Seedream, Qw...
Security Analysis
high confidenceThe skill broadly matches an image/video-generation tool, but it inconsistently hides that it requires an API key and contains a few instruction/packaging mismatches that could lead to accidental exposure of secrets or sloppy installs.
The skill's stated purpose (WaveSpeed image/video generation) matches the code and model list: the CLI talks to api.wavespeed.ai and exposes model aliases. However the registry metadata says no required environment variables or primary credential, while both SKILL.md and the script clearly require WAVESPEED_API_KEY. That discrepancy is incoherent and important: a user installing this skill would not be warned that a secret is needed.
SKILL.md instructs the agent to check the WAVESPEED_API_KEY env var (and even suggests running echo $WAVESPEED_API_KEY). Asking the agent/user to echo an API key risks accidental leakage into logs or chat. The instructions also say to check TOOLS.md and to 'ask the user' if no key is found; those are reasonable, but the explicit echo advice is risky and unnecessary for normal operation.
There is no install spec (instruction-only) which lowers install risk. Minor packaging inconsistencies: README suggests installing 'axios form-data' but the shipped script only uses built-in https/fs and package.json lists no dependencies. This looks like sloppy packaging rather than active malicious behavior.
The code requires WAVESPEED_API_KEY (process.env.WAVESPEED_API_KEY) and will exit if it's not set, yet the skill metadata declares no required env vars or primary credential. The SKILL.md also asserts the key is 'already set in all Clawster containers' — an unverifiable and suspicious claim. The instruction to echo the env var could expose the secret; environment access is more privileged than the metadata indicates.
The skill does not request always:true, does not modify other skills, and is user-invocable. It does not attempt to persist itself or change system-wide settings. No elevated persistence privileges are requested.
Guidance
Key points before installing: (1) The skill actually requires WAVESPEED_API_KEY, but the metadata doesn't declare it — expect to provide that API key. (2) Do not run or instruct the agent to run commands that print your API key (e.g., 'echo $WAVESPEED_API_KEY') because that can leak the secret into logs or chat; instead copy the key privately into the agent's secure credential store. (3) Verify you trust the wavespeed.ai API and its pricing/terms; the script will send your key to api.wavespeed.ai and download URLs returned by that service. (4) The packaging is sloppy (README asks to install axios/form-data though the script uses built-ins), which suggests the repo wasn't carefully reviewed — inspect the code yourself or run it in a sandbox. (5) If you proceed, ask the maintainer to update the skill metadata to declare WAVESPEED_API_KEY as the primary credential and remove any guidance that prints secrets; consider auditing network endpoints and running the CLI in an isolated environment first.
Latest Release
v1.1.0
Added API key setup section with sign-up link, created README
More by @al1enjesus
Published by @al1enjesus on ClawHub
