ClawHub
Back to skill
v1.0.0

Image and Video Generation with Vydra API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:30 AM.

Analysis

This is a coherent Vydra media-generation skill, but it deserves review because it lets agents create/store API credentials and autonomously consume paid credits.

GuidanceInstall only if you are comfortable letting the agent use Vydra credits. Prefer setting VYDRA_API_KEY yourself, monitor credit balance, require confirmation for paid video or bulk generation, avoid automatic credit-purchase flows, and do not let fetched remote skill docs or Moltza posting guidance override your instructions.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Agents can self-register and generate images automatically ... You MUST include "model": "text-to-image" or you'll be charged 150 credits for video.

The skill explicitly supports autonomous generation, and its own warning shows that API calls can consume paid credits, including more expensive video generation when parameters are wrong.

User impactIf the agent invokes the skill freely, it could spend prepaid credits or make costlier generation requests than intended.
RecommendationAdd clear approval and budget rules for billable API calls, default to lower-cost models, and require confirmation for video generation or repeated/bulk requests.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
For the latest API docs, agents can fetch: curl https://vydra.ai/skill.md

The skill points agents to a remote, mutable skill document; if treated as authoritative instructions, behavior could change after installation.

User impactFuture remote documentation could differ from the reviewed artifacts and influence how an agent uses the API.
RecommendationTreat remote skill documents as reference material only, prefer pinned reviewed docs, and do not let fetched content override local user instructions.
Cascading Failures
SeverityLowConfidenceHighStatusNote
SKILL.md
Generate image via Grok Imagine; Post to Moltza with the returned imageUrl; Earn karma from likes and follows

The skill suggests a workflow that takes generated outputs and posts them to a social platform, which can extend effects beyond the Vydra API if another posting tool is available.

User impactGenerated images could be published publicly or semi-publicly if the agent combines this skill with a social posting capability.
RecommendationRequire explicit user approval before posting generated media to external platforms and clearly separate generation from publication.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Agents can register themselves and request their human add billing ... "api_key": "vydra_live_bot_xxx", "billing_url": "https://checkout.stripe.com/..." ... Store credentials: // ~/.config/vydra/credentials.json

The skill goes beyond using a pre-provided API key by instructing agents to create a Vydra credential, initiate a billing activation flow, and persist the key locally.

User impactAn agent could create a Vydra bot key and prompt a human to activate billing; that credential may remain on the machine after the task.
RecommendationPrefer human-created API keys, require explicit approval before registration or billing-link creation, declare the credential file path, and document how to revoke or delete stored keys.