vwu.ai Sihai Models
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward vwu.ai API wrapper, but it uses an API key and sends prompts to a configured external endpoint.
This skill looks purpose-aligned and not malicious from the provided artifacts. Before using it, set a revocable vwu.ai API key, confirm the endpoint is really vwu.ai or another trusted compatible API, and avoid sending private or secret content in prompts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may spend quota or expose account access if the API key is mishandled.
The script reads an API key from the environment and uses it as a bearer token for account-authorized API calls.
VWU_API_KEY="${VWU_API_KEY:-}" ... -H "Authorization: Bearer $VWU_API_KEY"Use a limited/revocable vwu.ai API key, avoid sharing it in prompts or logs, and revoke it if you suspect exposure.
Sensitive prompt content could leave your local environment and be sent to vwu.ai or another configured endpoint.
User prompt content is sent to an external API endpoint, and the endpoint can be changed through VWU_BASE_URL.
VWU_BASE_URL="${VWU_BASE_URL:-https://vwu.ai}" ... "$VWU_BASE_URL/v1/chat/completions" ... "content": "$PROMPT"Do not send secrets or private data unless you trust the provider, and verify VWU_BASE_URL points to the intended endpoint.
Quotes, backslashes, or crafted text in a prompt may break the request or alter the JSON payload sent to the provider.
The script builds JSON by directly interpolating command-line model and prompt values rather than using a JSON encoder.
-d "{\n \"model\": \"$MODEL\",\n \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}],\n \"stream\": false\n }"Prefer a JSON-safe construction method such as jq -n or a maintained client library before relying on this for arbitrary untrusted text.
You have less publisher/source context than with a skill that has a clear homepage and declared install details.
The skill has limited provenance metadata and no install specification, though the included script is short and directly reviewable.
Source: unknown; Homepage: none; Install specifications: No install spec
Review the included script before use and install only if you trust the publisher and the vwu.ai service.