Security audit

Vidu

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward vwu.ai/Vidu helper that sends user-chosen prompts or images to the provider and does not show hidden or destructive behavior.

Install only if you intend to use vwu.ai. Use a dedicated, revocable API key, avoid putting sensitive images or prompts into the service, and consider exporting the key only for active sessions or storing it in a safer secret manager instead of committing it to shell startup files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly instructs users to append a long-lived API key to shell startup files, which increases the chance of credential exposure through overly broad persistence, accidental disclosure, backups, dotfile syncing, or shared accounts. While storing environment variables is common, recommending permanent plaintext storage without any warning or safer alternatives is a real security weakness in the skill guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal