Yollomi AI Image & Video Generator
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—call Yollomi to generate images and videos with your API key—but it can spend Yollomi credits and sends prompts/images to the configured API host.
Install only if you trust Yollomi with the prompts, image URLs, and image/video inputs you ask it to process. Keep YOLLOMI_API_KEY private, avoid untrusted YOLLOMI_BASE_URL overrides, and confirm model choice and credit cost before expensive video or multi-output generations.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad generation request could spend more Yollomi credits than intended, especially for video or multiple-output requests.
The generation tool can invoke models with variable credit costs and multiple outputs. This is central to the skill's purpose and the costs are disclosed, but it can consume account credits.
`yollomi.generate` ... Params: `type`, `modelId`, `prompt`, `imageUrl`, `aspectRatio`, `numOutputs` ... `openai-sora-2 | ~50+`
Review the selected model, output count, and expected credit cost before running expensive generations; use provider-side spending limits if available.
Anyone with access to the configured environment can use the Yollomi API key, and setting YOLLOMI_BASE_URL to an untrusted host would send the key there.
The code uses the required Yollomi API key for authenticated generation requests and sends it to the configured API base URL. This is expected, disclosed behavior for the integration.
const apiKey = requireEnv('YOLLOMI_API_KEY') ... const baseUrl = process.env.YOLLOMI_BASE_URL || 'https://yollomi.com' ... Authorization: `Bearer ${apiKey}`Store the API key securely, rotate it if exposed, and only set YOLLOMI_BASE_URL to a trusted Yollomi-compatible endpoint.