ClawHub
Back to skill
v1.0.2

VoooAI - AI Multimedia NL2Workflow Platform

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:13 AM.

Analysis

This skill appears to be a coherent VoooAI creative-generation integration, but it will send prompts, uploaded media, and an access key to VoooAI and may consume account credits.

GuidanceInstall only if you intend to use VoooAI for hosted multimedia generation. Keep your VOOOAI_ACCESS_KEY private, verify that VOOOAI_BASE_URL points to a trusted VoooAI endpoint, and avoid uploading private or sensitive media unless you are comfortable having it processed by the service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/execute_workflow.py
resp = api_post("/api/node-builder/execute", body, timeout=120) ... if "points_consumed" in resp: out["points_consumed"] = resp["points_consumed"]

The skill can submit generated workflows for execution and reports consumed points afterward. This is purpose-aligned, but it can use account credits.

User impactRunning workflows may spend VoooAI points or credits associated with your account.
RecommendationReview generated workflow estimates and point warnings before running large or costly creative jobs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/_common.py
BASE_URL = os.environ.get("VOOOAI_BASE_URL", "https://voooai.com") ... "Authorization": f"Bearer {access_key}"

The scripts send the user's VOOOAI_ACCESS_KEY as a Bearer token to the configured API base URL. This is expected for the integration, but the optional base URL changes where the credential is sent.

User impactThe skill can act under your VoooAI account for creative operations, and the access key will be sent to the configured VoooAI API endpoint.
RecommendationUse a dedicated VoooAI access key if possible, keep it private, and leave VOOOAI_BASE_URL unset unless you intentionally trust the alternate endpoint.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/generate_workflow.py
body = {"description": description} ... body["reference_urls"] = reference_urls ... api_post("/api/agent/nl2workflow/generate", body, timeout=120)

User descriptions and reference file URLs are sent to VoooAI's backend AI workflow generator. This is central to the skill's purpose, but it is an external data flow.

User impactCreative prompts and reference media links may be processed by VoooAI's backend service.
RecommendationOnly provide prompts, images, videos, or audio that you are comfortable sending to VoooAI for processing.