vwu.ai Veo Models
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward vwu.ai API wrapper, but users should know it uses an API key and sends prompts to an external service.
This skill looks benign and purpose-aligned. Before installing, understand that your prompts and bearer API key are used with vwu.ai, avoid sending sensitive data unless you trust the provider, do not set VWU_BASE_URL to an untrusted host, and make sure zsh, curl, and jq are available.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The key can authorize paid or quota-limited vwu.ai API usage, and a small key prefix could appear in logs or chat transcripts.
The script authenticates with a vwu.ai bearer API key and may print a masked prefix on quota errors. This is expected for the stated service, but it is still account/quota authority and the registry metadata does not declare a primary credential.
-H "Authorization: Bearer $VWU_API_KEY" ... echo "当前 key: ${VWU_API_KEY:0:8}***"Use a dedicated vwu.ai API key with appropriate quota limits, avoid sharing logs that include key fragments, and declare VWU_API_KEY as a required credential in metadata.
Prompt contents leave the local environment and are sent to the configured API endpoint.
The user prompt is transmitted to vwu.ai, or to a different endpoint if VWU_BASE_URL is set. This is central to the skill's purpose, but it defines an external data boundary.
VWU_BASE_URL="${VWU_BASE_URL:-https://vwu.ai}" ... "$VWU_BASE_URL/v1/chat/completions" ... "content": "$PROMPT"Do not include secrets or sensitive private data in prompts unless you trust the provider's handling, and only set VWU_BASE_URL to a trusted HTTPS endpoint.
The skill may fail at runtime or rely on local tools the user did not expect.
The helper script depends on zsh, curl, and jq, while the provided requirements declare no required binaries and there is no install spec. The dependencies are purpose-aligned but under-declared.
#!/bin/zsh ... response=$(curl -s ...); ... jq -r '.choices[0].message.content'
Declare the required binaries in metadata or verify that zsh, curl, and jq are available before use.
Following the example exactly may send the wrong arguments or produce an API error.
The documented example uses a --model flag, but vwu-chat.sh prints the actual usage as `vwu-chat <model> <prompt>`. This mismatch appears operational rather than deceptive, but it could cause incorrect invocation.
vwu-chat --model veo-2.0-generate-001 "你的问题"
Use the script's positional format, such as `vwu-chat veo-2.0-generate-001 "你的问题"`, or update the documentation to match the helper.