AI media generation- Flux2pro,Google Veo3.1, Suno Ai..
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prompts, media URLs, and requested edits may be processed by VAP and its backend providers.
The skill clearly discloses that user generation requests are sent to an external aggregator and then to backend AI providers.
All generation requests go through VAP's API (`api.vapagent.com`), which routes to the appropriate backend provider.
Avoid submitting private or sensitive media unless you are comfortable with VAP and its providers processing it.
If VAP_API_KEY is set, generated media or edits may use the user's paid account, tier, balance, or quota.
The skill uses an optional API key to access full VAP functionality, which is expected for this service but gives the agent delegated access to the user's VAP account.
`VAP_API_KEY set` → Use Full Mode (all features, unlimited)
Use a dedicated or limited VAP API key if available, monitor account usage, and unset the key when you do not want the agent to use paid/full-mode features.
User requests can cause the agent to submit generation or editing jobs to VAP, which may create outputs and consume service quota or balance.
The skill instructs the agent to create remote media-generation tasks through curl. This is central to the skill's purpose, but it is still an external action users should understand.
curl -s -X POST https://api.vapagent.com/v3/tasks ... -d '{"type":"TYPE","params":{"description":"PROMPT"}}'Review generation requests before using full mode for expensive or bulk media tasks.
Users have less registry-level provenance information for verifying who maintains the integration.
The registry metadata does not provide source or homepage provenance, even though the skill itself points to VAP endpoints.
Source: unknown Homepage: none
Verify the VAP website/API and publisher trust before adding credentials or relying on generated outputs.