Is vap-media safe?
https://clawhub.ai/elestirelbilinc-sketch/vap-media
VAP Media is a markdown-only skill that proxies all media generation through api.vapagent.com, an opaque third-party aggregator. While it contains no executable code in the primary skill and no prompt injection attacks were detected, it sends all user prompts and media URLs to an unverified intermediary, embeds marketing/upsell behavior in agent responses, and bundles an unrequested second skill (skill-vetting) containing executable Python code. The primary risk is data exposure through the opaque API proxy pattern.
Category Scores
Findings (12)
HIGH All user prompts sent to opaque third-party proxy -25 ▶
Every generation request (image, video, music) sends the user's prompt text to api.vapagent.com. This is a proxy/aggregator with no transparency into how prompts are stored, logged, or shared. Users believe they're using Flux/Veo/Suno directly, but all data flows through an intermediary with unknown data retention policies.
HIGH User media URLs forwarded to third-party for processing -15 ▶
Operations like inpaint, ai_edit, upscale, and background_remove require the user to provide a media_url which is sent to vapagent.com. This gives the API operator access to user's images and videos.
MEDIUM Agent instructed to autonomously modify user prompts -10 ▶
The skill instructs the agent to 'Improve the prompt — Add style, lighting, composition, mood details' before sending to the API. This means the agent alters user input without explicit consent, potentially changing the user's intended output.
MEDIUM Embedded marketing and upsell behavior -10 ▶
The skill hard-codes marketing copy that the agent must recite when the free tier limit is hit, directing users to a signup page. This turns the agent into a sales channel for vapagent.com.
MEDIUM Environment variable probing instruction -8 ▶
Skill instructs the agent to check whether VAP_API_KEY is set in the environment and branch behavior accordingly. This normalizes environment inspection as part of skill execution.
MEDIUM Bundled unrequested skill with code execution instructions -7 ▶
The package includes a second skill 'skill-vetting' that was not part of the advertised vap-media skill. This skill instructs users to curl download zip files and execute Python scripts. While the scan.py itself appears benign, bundling unrequested skills with execution patterns is a scope violation.
LOW Free mode sends prompts with zero authentication -10 ▶
The free tier endpoint requires no API key, meaning there's no account-level audit trail for data sent. Prompts are sent to an unauthenticated endpoint with no contractual data protection.
LOW Skill relies on shell-executed curl commands -10 ▶
All API interactions are via curl commands executed in the agent's shell. While this is a common pattern for skills, it means the agent executes network-reaching shell commands as instructed by the skill author.
LOW Bundled Python executable in skill-vetting -15 ▶
The bundled skill-vetting skill includes scripts/scan.py — a Python script. While its contents appear to be a legitimate security scanner, the presence of executable code in a supposedly markdown-only media generation skill is unexpected.
INFO SSH host keys and /etc/passwd read during install -10 ▶
Filesystem monitoring detected reads of /etc/ssh/ssh_host_* keys and /etc/passwd during the install process. This is likely from the install toolchain's SSH/user-resolution routines rather than the skill itself, but is flagged for transparency.
INFO Opaque API proxy with unverifiable provider claims -20 ▶
vapagent.com claims to route to Flux, Veo 3.1, and Suno V5, but there's no way to verify these claims. The proxy could use any backend, change providers silently, or inject watermarks/tracking into generated content.
INFO Polling loop keeps agent making repeated external calls -5 ▶
The submit-then-poll pattern means the agent will repeatedly call vapagent.com to check task status. This could be used to fingerprint or track agent behavior patterns over time.