VoooAI - AI Multimedia NL2Workflow Platform
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to be a coherent VoooAI creative-generation integration, but it will send prompts, uploaded media, and an access key to VoooAI and may consume account credits.
Install only if you intend to use VoooAI for hosted multimedia generation. Keep your VOOOAI_ACCESS_KEY private, verify that VOOOAI_BASE_URL points to a trusted VoooAI endpoint, and avoid uploading private or sensitive media unless you are comfortable having it processed by the service.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act under your VoooAI account for creative operations, and the access key will be sent to the configured VoooAI API endpoint.
The scripts send the user's VOOOAI_ACCESS_KEY as a Bearer token to the configured API base URL. This is expected for the integration, but the optional base URL changes where the credential is sent.
BASE_URL = os.environ.get("VOOOAI_BASE_URL", "https://voooai.com") ... "Authorization": f"Bearer {access_key}"Use a dedicated VoooAI access key if possible, keep it private, and leave VOOOAI_BASE_URL unset unless you intentionally trust the alternate endpoint.
Creative prompts and reference media links may be processed by VoooAI's backend service.
User descriptions and reference file URLs are sent to VoooAI's backend AI workflow generator. This is central to the skill's purpose, but it is an external data flow.
body = {"description": description} ... body["reference_urls"] = reference_urls ... api_post("/api/agent/nl2workflow/generate", body, timeout=120)Only provide prompts, images, videos, or audio that you are comfortable sending to VoooAI for processing.
Running workflows may spend VoooAI points or credits associated with your account.
The skill can submit generated workflows for execution and reports consumed points afterward. This is purpose-aligned, but it can use account credits.
resp = api_post("/api/node-builder/execute", body, timeout=120) ... if "points_consumed" in resp: out["points_consumed"] = resp["points_consumed"]Review generated workflow estimates and point warnings before running large or costly creative jobs.