ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vidu API supports text-based images, reference images, and image editing.

v1.0.0

Vidu AI 图片生成。支持 Nano 生图、Vidu 参考生图。对话式调用,自动识别意图。

1· 110·0 current·0 all-time
byVidu AI@x-jihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description and SKILL.md focus on image generation, but the included CLI (scripts/vidu_cli.py) implements many additional capabilities: video endpoints (text2video, img2video, reference2video, etc.), audio/TTS and voice-clone endpoints. Those extra capabilities are not documented in the SKILL.md summary or registry metadata, which makes the overall purpose and required privileges unclear.
!
Instruction Scope
SKILL.md instructs the agent to call the provided Python CLI for image-generation and status checks and documents image-specific behavior. The CLI, however, can read local files (converting images to base64), fetch remote URLs, and supports additional commands (video/audio) not documented in SKILL.md. This gives the agent the ability to upload arbitrary local files and call endpoints beyond the documented scope if invoked.
Install Mechanism
No install spec is present; the skill is instruction + a bundled Python script. No external downloads or installers are used, so nothing is automatically written to disk beyond the packaged files. This is the lower-risk install pattern.
!
Credentials
Registry metadata declared no required environment variables, but SKILL.md and the CLI both require VIDU_API_KEY. The skill will read VIDU_API_KEY from environment and will fail without it. Requesting a single API key is reasonable for an external service, but the registry omission is an inconsistency that could confuse users and automated permission checks. Also note: the CLI will include local image data (base64) in API requests — supplying local files causes data to be transmitted to the remote API.
Persistence & Privilege
The skill does not request 'always: true' and does not declare modifications to other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.
What to consider before installing
Before installing, consider the following: - The registry metadata omitted required env vars: this skill requires VIDU_API_KEY (the SKILL.md and code both check for it). Confirm you trust the VIDU API provider before supplying a key. - The shipped Python CLI supports video and audio endpoints (text2video, TTS, voice clone) in addition to image generation. If you only want simple image generation, be cautious: the agent could be instructed to use the extra endpoints or to upload other local files. - Using local images means the script will read files, base64-encode them, and send them to the remote API — do not supply sensitive images you don't want transmitted. - There is no declared homepage or official source; prefer skills with an identified upstream repo or vendor. If you plan to use this skill, review the full scripts/vidu_cli.py file (and the API endpoints) yourself or only provide an API key with limited scope/permissions. - If anything about the domain selection, endpoints, or required behaviors is unclear, ask the publisher for an authoritative homepage, documentation, or a signed release before trusting API credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976f8j152g0g4fq9wvdhxy63n837h6e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments