v1.1.0

Yollomi AI Image & Video Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

This is a coherent Yollomi image/video API client that uses the expected Yollomi API key; no artifact shows hidden exfiltration, persistence, or destructive behavior.

GuidanceThis skill appears safe for its stated purpose. Before installing, understand that prompts, image URLs, and generation parameters are sent to Yollomi, and authenticated generation can spend Yollomi credits. Do not override YOLLOMI_BASE_URL unless you trust the destination.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

index.ts

const apiKey = requireEnv('YOLLOMI_API_KEY') ... const baseUrl = process.env.YOLLOMI_BASE_URL || 'https://yollomi.com' ... Authorization: `Bearer ${apiKey}`

The skill uses a Yollomi API key as a bearer token and sends it to the configured API host. This is purpose-aligned and disclosed, but it is still credentialed account access.

User impactAnyone using the skill gives it access to make Yollomi generation requests, which may consume account credits.

RecommendationSet YOLLOMI_API_KEY only when you intend to use this provider, keep YOLLOMI_BASE_URL pointed at a trusted host, and review expensive model or numOutputs choices before generating.