Vidu
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vwu-vidu Version: 1.1.0 The skill bundle provides a legitimate interface for interacting with the vwu.ai video generation platform. It contains shell scripts (vwu-chat.sh and vwu-video.sh) that use curl to communicate with the vwu.ai API, and documentation (SKILL.md) explaining how to configure and use the tools. No evidence of data exfiltration, malicious execution, or prompt injection was found; the scripts focus entirely on their stated purpose of video generation and status tracking.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the API key could use the vwu.ai account quota or paid access associated with it.
The skill requires a vwu.ai API key and suggests persisting it in a shell profile. This is expected for the service but is still a sensitive account credential.
export VWU_API_KEY="sk-your-key-here" ... echo 'export VWU_API_KEY="sk-your-key-here"' >> ~/.zshrc
Use a dedicated, revocable API key; avoid sharing shell profiles or logs; rotate the key if it may have been exposed.
If VWU_BASE_URL is misconfigured or set to an untrusted endpoint, the API key could be sent somewhere other than the intended provider.
The bearer token is sent to a base URL that defaults to vwu.ai but can be overridden by an environment variable.
VWU_BASE_URL="${VWU_BASE_URL:-https://api.vwu.ai}" ... -H "Authorization: Bearer $VWU_API_KEY"Leave VWU_BASE_URL unset unless you intentionally trust the alternate endpoint, and verify it is the official vwu.ai API before use.
Prompts and selected image contents are sent to the provider and may be subject to that provider's processing, retention, and billing policies.
For image-to-video generation, the script reads the user-selected image file, encodes it, and submits it with the prompt to the external vwu.ai API.
image_base64=$(base64 -i "$image" | tr -d '\n') ... curl ... "$VWU_BASE_URL/v1/videos"
Do not use private or sensitive images/prompts unless you are comfortable sending them to vwu.ai; review the provider's data and billing terms.
The skill may fail or behave differently on systems missing those tools, and users may not see the full setup requirements before installing.
The script uses runtime tools such as curl, jq, and base64 even though the registry requirements declare no required binaries.
response=$(curl -s ...); task_status=$(echo "$response" | jq -r '.status'); image_base64=$(base64 -i "$image" ...)
Declare the required binaries and VWU_API_KEY in metadata so users can review dependencies and credential needs up front.