v2.0.2

Venice API Kit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:52 AM.

Analysis

This looks like a coherent Venice AI API toolkit, but it includes high-impact admin functions that can create, update, list, and delete Venice API keys using an admin credential.

GuidanceInstall only if you want an agent-accessible Venice API toolkit. Prefer an inference-only Venice API key for routine use, keep admin keys separate, and require explicit approval before any API-key or billing/usage administration command is run.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/api_key_delete.py

Delete an API key. This action is irreversible. ... response = client.delete(f"{VENICE_BASE_URL}/api_keys/{key_id}", headers=headers)

The script performs an irreversible account mutation against the Venice API; it does require a --force flag, but the destructive operation is still exposed to the agent as part of the skill.

User impactA mistaken or overly broad agent action could delete a Venice API key and disrupt applications or workflows that depend on it.

RecommendationRequire explicit human approval before running API-key create, update, or delete commands, and verify the exact key ID and intended change.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/audio_speech.py

# dependencies = ["httpx"]

The scripts depend on the external Python package httpx without a pinned version; this is expected for an HTTP API toolkit but still worth noticing as a supply-chain dependency.

User impactInstalling or running the scripts may fetch an unpinned dependency version from the Python package ecosystem.

RecommendationInstall dependencies from trusted package sources and consider pinning httpx to a known-good version in controlled environments.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

README.md

All with Venice.ai's privacy-focused inference (no logging, no data retention). ... Trust: Verify you trust Venice.ai before sending sensitive data

The README makes strong privacy claims while also advising users to verify trust before sending sensitive data; users should treat the privacy claim as something to confirm with the provider.

User impactUsers might rely on the stated no-retention/no-logging claim when deciding whether to send sensitive content.

RecommendationReview Venice's official privacy and data-retention terms before processing sensitive or regulated data through this skill.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/api_key_create.py

Requires an Admin API key. ... VALID_KEY_TYPES = ["INFERENCE", "ADMIN"]

The skill can use an admin Venice credential to create new API keys, including new ADMIN keys, which is broader and more sensitive than ordinary inference access.

User impactIf installed with an admin Venice key, the agent could gain account-level API-key management authority, not just generate images, audio, embeddings, or video.

RecommendationUse a least-privileged inference-only Venice API key for normal use, and only enable/admin-run the API-key management scripts when you explicitly intend to manage credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

scripts/embeddings.py

text = Path(file_path).read_text(encoding="utf-8") ... response = client.post(f"{VENICE_BASE_URL}/embeddings", headers=headers, json=payload)

The embeddings tool can read user-specified local text files and send their contents to the Venice API; this is purpose-aligned, but it is a sensitive external data flow.

User impactText, images, audio, or other user-provided content may be transmitted to Venice AI when using the corresponding tools.

RecommendationDo not send confidential files or media unless you are comfortable with Venice receiving that content and you trust the provider's privacy commitments.