Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vidu API voice timbre replication and voice generation capabilities, with over 100 built-in voice IDs.
v1.0.0Vidu AI 语音合成与声音复刻。支持303个音色TTS语音合成、声音复刻功能。对话式调用,自动推荐音色。
⭐ 0· 111·0 current·0 all-time
byVidu AI@x-jihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description and SKILL.md describe TTS and voice cloning and the need for a VIDU_API_KEY, which is coherent. However, the included CLI (scripts/vidu_cli.py) implements many additional media endpoints (text2video, img2video, reference2video, image generation, etc.) not emphasized in the skill description. This expands the capability surface beyond the stated purpose and may be unexpected to users who only want TTS/voice-clone.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python CLI which: (a) posts JSON to remote API endpoints (api.vidu.cn / api.vidu.com) using the VIDU_API_KEY, (b) can convert local images to base64 and include them in requests (image_to_base64), and (c) will download files from returned URLs. That means the skill can transmit local file contents (images at minimum) to an external service and download remote files to {baseDir}/uploads/. The SKILL.md examples focus on audio, but the CLI supports uploading/embedding local content for other media types, so the runtime instructions permit reading and transmitting local files beyond what a user might expect.
Install Mechanism
No install spec (instruction-only with bundled script). Nothing is downloaded or installed automatically by the skill manifest; the only code is the included Python CLI. This is lower risk than remote downloads, but the included script will be executed by the agent.
Credentials
The registry metadata lists no required env vars, but SKILL.md and the CLI require a VIDU_API_KEY. Requiring an API key for the external TTS/clone service is proportionate. However, the manifest metadata inconsistency (declaring no env vars while code mandates VIDU_API_KEY) is confusing and could mislead users into installing without realizing they must supply a credential.
Persistence & Privilege
The skill does not request always: true and uses normal invocation modes. It does not appear to modify other skills or system-wide settings. Autonomous invocation is enabled by default (disable-model-invocation: false), which is normal — but because the skill can call external APIs and send files, that autonomous ability increases potential impact and is worth user attention.
What to consider before installing
This skill is primarily a TTS/voice-clone tool that will call external Vidu APIs and requires an API key (VIDU_API_KEY). Before installing: 1) Verify you trust the Vidu service and the domains api.vidu.cn / api.vidu.com and that the API key you provide can be revoked if needed. 2) Be aware the bundled CLI supports many extra features (video/image endpoints) and can read local files (convert images to base64) and send them to the remote API — avoid giving it or uploading any sensitive local files. 3) Note the manifest metadata omitted the required VIDU_API_KEY (inconsistency); confirm how the agent will be configured with that key. 4) If you want minimal risk, run this skill in a sandboxed environment or inspect/modify scripts to remove unneeded endpoints before use. If you need more certainty, ask the skill author for provenance (homepage/source) and an explanation for why the CLI exposes non-voice endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk973x4q4frwevfxcwtxa2s87vd839dh5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.