VidAU Video Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Vidau video-generation purpose, but it may install Python with system package managers and keeps local API logs containing prompts, results, and account information.
Before installing, confirm you are comfortable with Vidau API usage and possible credit consumption. Do not let the agent install Python automatically unless you approve the package-manager command. Review or clear `~/vidau_api.log` and the Vidau cache files if prompts, media URLs, or account details are sensitive, and only upload local files you intend to share with Vidau.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If Python is not already installed, the agent could attempt to change the user's system packages before running the Vidau scripts.
The skill instructs the agent to run OS package-manager installation commands if Python is missing, including a privileged Linux command with `-y`, rather than requiring explicit user approval or using a declared install spec.
If both fail, try to install Python for the current platform: ... `sudo apt-get update && sudo apt-get install -y python3` ... `winget install Python.Python.3.12`
Require an explicit user confirmation before any package-manager install, or move setup into a transparent install spec/manual prerequisite.
Sensitive prompts, generated-video links, and account details may remain on disk after the task completes and could be exposed through local access or backups.
API request bodies and response bodies are persisted by default to `~/vidau_api.log`, which can include prompts, image URLs, task IDs, result URLs, user IDs, and credit information. SKILL.md does not prominently disclose this logging or define retention/redaction.
LOG_PATH = os.environ.get("VIDAU_API_LOG", os.path.join(os.path.expanduser("~"), "vidau_api.log")) ... f.write(f"Params: {params_or_body or '(none)'}\n") ... f.write(f"Body: {response_body[:2000]}\n")Make logging opt-in or clearly disclosed, redact sensitive fields, avoid logging full responses by default, and document how users can disable or delete the log.
The skill can query account credits and create video tasks under the configured Vidau account, which may consume credits.
The scripts use a Vidau API key from the environment or a scoped OpenClaw config entry to act on the user's Vidau account. This is expected for the integration, and the artifacts do not show key exfiltration or hardcoded credentials.
Get Vidau API Key: prefer env VIDAU_API_KEY; else read from OpenClaw config ~/.openclaw/openclaw.json skills.entries.vidau.apiKey or env.VIDAU_API_KEY.
Use a key for the intended Vidau account, monitor credit usage, and revoke or rotate the key if it is no longer needed.
Any local image or video path provided for generation may be uploaded to Vidau and stored or processed by that service.
The skill can read a user-specified local media file and upload it to the stated Vidau provider. This is purpose-aligned and user-directed, but it crosses a local-to-cloud data boundary.
If the user only has a local image/video (no URL yet): Call `scripts/upload_asset.py <path>` to upload
Only provide files you intend to send to Vidau, and avoid uploading private or regulated media unless the provider terms are acceptable.