Back to skill
Skillv1.0.3
ClawScan security
Vidu — AI Video Generation - Vidu Q3 & Vidu 2.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 4:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and environment requirements are internally consistent with a video-generation client for Atlas Cloud and do not request unrelated privileges or hidden endpoints.
- Guidance
- This skill appears to do what it claims: it calls Atlas Cloud (api.atlascloud.ai) to generate videos and requires only your ATLASCLOUD_API_KEY. Before installing, confirm you trust Atlas Cloud and understand billing: the API key is account-scoped (no fine-grained scopes) so any use will bill your account. Keep your key secret, review the included script if you want to verify behavior, and avoid sharing the key with third parties. If you need limited-risk testing, create a dedicated Atlas Cloud account/key with minimal funding.
Review Dimensions
- Purpose & Capability
- okName/description (Vidu video generation) align with the provided Python script and SKILL.md. The only required credential is ATLASCLOUD_API_KEY, which is appropriate for calling the Atlas Cloud API; required binaries and config paths are none.
- Instruction Scope
- okSKILL.md and the script clearly instruct the agent/user to send prompts, images, and uploaded media to api.atlascloud.ai. The runtime instructions and script do not attempt to read unrelated system files or environment variables, nor do they direct data to endpoints other than the declared Atlas Cloud API.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a small standalone Python script that uses only the standard library. No downloads from third-party URLs or archive extraction are present.
- Credentials
- noteOnly ATLASCLOUD_API_KEY is required and is the primary credential — this is proportional. Note: SKILL.md explicitly states Atlas Cloud does not support scoped keys, so the key grants access to all models and billing on the account; users should be aware of billing/exposure risk if the key is shared.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges, does not modify other skills or system settings, and relies on the agent/user to invoke the included script. Autonomous invocation remains platform-default but is not combined with any unusual privileges.