AI media generation API - Flux2pro, Veo3.1, Suno Ai
PassAudited by ClawScan on May 1, 2026.
Overview
The provided artifacts describe a coherent VAP media-generation API helper with disclosed external calls and optional API-key use, and no hidden code or persistence is shown.
This skill appears safe to use for its stated purpose if you trust VAP and its backend providers. Before installing, understand that full-mode requests use your VAP_API_KEY, may consume credits or balance, and send prompts or media URLs to VAP for processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user request can cause VAP API generation or editing jobs to be created, which may use the user's VAP account quota or balance.
The skill instructs the agent to use curl-backed API calls to create and poll media generation or editing tasks. This is purpose-aligned and user-triggered, but it is still an external action that may consume service credits.
"When a user asks to create/generate/make an image, video, or music" ... "Choose endpoint" ... "Poll for result" ... "Return the media URL"
Use the skill when you intend to create or edit media, and confirm before large, repeated, or campaign-style requests that could consume more credits.
Anyone using the skill with VAP_API_KEY set gives the agent authority to make VAP API requests under that account.
The skill uses a declared API key as a bearer token for full-mode VAP requests. This is expected for the integration and is not shown being logged or sent elsewhere.
"primaryEnv":"VAP_API_KEY" ... "Authorization: Bearer $VAP_API_KEY"
Set VAP_API_KEY only for accounts you intend to use with this skill, monitor usage, and rotate the key if it is exposed.
Prompts, task parameters, and media URLs supplied for editing may be shared with VAP and its backend providers.
The artifact clearly discloses that prompts and generation requests are sent to VAP and may be routed to backend providers such as Flux, Veo, and Suno.
"All generation requests go through VAP's API (`api.vapagent.com`), which routes to the appropriate backend provider."
Avoid submitting confidential prompts, private media URLs, or sensitive personal content unless you are comfortable with VAP and its providers processing them.