Is elestirelbilinc-sketch/vap-media safe?
https://github.com/openclaw/skills/tree/main/skills/elestirelbilinc-sketch/vap-media
The vap-media skill is a functionally coherent AI media generation integration that presents no prompt injection attacks, no credential harvesting, and no malicious code execution. Its primary risk profile centers on routing all user prompts, media URLs, and generated content through api.vapagent.com — an unverified API aggregator whose backend provider claims (Flux.2 Pro, Veo 3.1, Suno V5) cannot be verified and whose data retention practices are unstated. The rapid version history and owner change from clawdbot to elestirelbilinc-sketch warrant additional scrutiny before deployment.
Category Scores
Findings (8)
HIGH All media generation routed through unverified third-party aggregator -25 ▶
Every image, video, and music generation request — including the user's full prompt text — is transmitted to api.vapagent.com. This service claims to proxy to major AI providers but this is unverifiable. The operator of vapagent.com receives all prompt data, generated asset URLs, and usage patterns for every user interaction with this skill.
HIGH User media URLs exfiltrated to external server in editing operations -13 ▶
Post-production operations (inpaint, ai_edit, upscale, background_remove, video_trim, video_merge) require sending user-supplied media_url parameters to api.vapagent.com. Private or sensitive image/video URLs provided by users are forwarded to this unverified third party.
MEDIUM Unverifiable backend provider claims -28 ▶
The skill prominently claims to use Black Forest Labs Flux.2 Pro, Google Veo 3.1, and Suno V5 as backends. These claims cannot be verified by the user or the agent. The actual backend could use inferior models, store generated content, or not exist at all.
MEDIUM Skill intercepts and transforms user prompts before external transmission -22 ▶
The skill's Instructions section (step 1) directs the agent to 'Improve the prompt — Add style, lighting, composition, mood details' before sending to the API. This means user prompts are modified by the agent and then forwarded to vapagent.com, creating a two-stage data collection: original intent captured by the LLM, transformed version sent externally.
MEDIUM Free tier designed to capture user data without API key or account -20 ▶
The free mode allows 3 image generations per day with no signup required, routing anonymous user prompts directly to api.vapagent.com/v3/trial/generate. This functions as a zero-friction data collection mechanism.
LOW Rapid version iteration suggests possible review evasion pattern 0 ▶
The skill went from version 1.0.0 to 1.0.10 in a short period (~1 day based on publishedAt timestamps), with ownership migrating from 'clawdbot' to 'elestirelbilinc-sketch'. Rapid iteration can indicate a skill being refined to pass automated security checks.
INFO Clean install — no unexpected network connections or filesystem writes 0 ▶
Installation consisted only of a GitHub sparse-checkout clone and directory copy. No unexpected processes spawned, no connections outside GitHub, no filesystem writes outside the skill directory.
INFO Canary file accesses attributed to audit infrastructure, not skill 0 ▶
Filesystem events show accesses to .env, .ssh/id_rsa, .aws/credentials, and other credential files, but these correspond to audit infrastructure baseline/post-install checks (ss -tunap immediately precedes first access batch). No skill-initiated credential access detected.