ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vidu API comic strip short film generation capability, with built-in AI-generated videos, images, and TTS.

v1.0.1

将用户创意或剧本转化为完整动漫成片,从剧本创作到自动拼接全流程使用 Vidu API 完成生图、生视频与 TTS,且禁止使用任何非 Vidu 模型。在用户需要制作动漫/动画短片、提供创意主题或详细剧本需求时使用;依赖 ffmpeg 与已配置的 Vidu API 凭证。

1· 123·1 current·1 all-time
byVidu AI@x-jihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description claim it uses Vidu API and ffmpeg — the code indeed calls Vidu endpoints and requires ffmpeg — but the registry metadata does not declare any required environment variables or primary credential. The scripts expect VIDU_API_KEY or a specific env var COZE_VIDU_API_7610322785025425408. That missing declaration is an incoherence (the skill will fail or silently look for other env names).
!
Instruction Scope
SKILL.md instructs installing ffmpeg and to configure Vidu API credentials; the included scripts access environment variables, call external HTTP endpoints (api.vidu.cn and arbitrary user-supplied URLs for assets/BGM), download resources, and write temporary files. The instructions and scripts are broadly scoped to generate/fetch media (expected) but they reference environment variables and a platform-specific import (coze_workload_identity) that are not declared in registry metadata — granting the agent access to system-level install commands and arbitrary network downloads without those requirements documented.
Install Mechanism
This is instruction-only (no install spec) so nothing is automatically downloaded at install time, which is lower risk. However SKILL.md suggests running apt-get install ffmpeg (system-level), and the scripts import requests and (in one file) coze_workload_identity.requests — runtime dependencies are not documented. There's no packaged install step, so operator must ensure ffmpeg/requests/coze_workload_identity are present.
!
Credentials
The code expects API credentials via VIDU_API_KEY or a vendor/platform-specific env name COZE_VIDU_API_7610322785025425408. Registry metadata lists no required env vars or primary credential. Requiring an API token for Vidu is proportional for this skill, but the missing declaration plus a hard-coded skill id/env-var name is an incoherence and a risk (you may need to provide a differently named secret). Also the coze_workload_identity usage implies platform-specific credential behavior that should be explained.
Persistence & Privilege
Flags show always:false and default autonomous invocation settings. The skill does not request permanent platform privileges, does not modify other skills' configs, nor claim to persist credentials itself. This is normal.
What to consider before installing
Before installing or enabling this skill: - Expect to supply a Vidu API key: the scripts look for VIDU_API_KEY or COZE_VIDU_API_7610322785025425408. Ask the author to update the skill metadata to declare the exact required env var name(s) and mark the primary credential. Do not assume your existing tokens will be picked up under another name. - Ensure ffmpeg and Python dependencies (requests and any platform-provided coze_workload_identity module) are installed where the skill will run. The SKILL.md suggests apt-get install ffmpeg but installation is not automated. - Review the scripts yourself (they are included). They make HTTP calls to api.vidu.cn and will download arbitrary URLs provided in timeline configs (video/audio/BGM URLs). Running in an isolated environment is recommended because the skill will fetch and write remote content to disk and may reach internal/external endpoints (risk of SSRF or unintended network access). - Confirm what COZE_* env vars and coze_workload_identity mean on your platform — this looks like a platform-specific credential integration. If you don't recognize it, ask the publisher how credentials are injected and whether credentials are scoped/limited. - If you plan to use real credentials, limit token scope and monitor usage (API calls, credits). Test first with a throwaway/dummy Vidu key to verify behavior. - If these gaps (undeclared env vars, unspecified dependencies) are not fixed by the author, consider the skill suspicious and avoid granting it real credentials or running it in a production environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxwqmbkxs0ves7ajcc2b2t1838f6m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments