← Back to Skills Marketplace
280
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install vwu-sora
Description
Access and use sora-2 model on vwu.ai platform via OpenAI-compatible chat API with required API key configuration.
Usage Guidance
This skill appears to be a simple wrapper for vwu.ai's chat API, but there are several mismatches and small risks you should consider before installing:
- The package metadata says no env vars are required, but the script demands VWU_API_KEY and also uses VWU_BASE_URL ( undocumented ). Ask the publisher to declare required environment variables and explain VWU_BASE_URL usage.
- The script requires curl, jq, and a zsh-compatible shell but doesn't declare those binaries. Ensure your runtime has these binaries and review the script before running.
- On quota errors the script prints the first 8 characters of your API key to the console. If you run this in shared logs or CI, that may leak part of your key—ask the maintainer to remove or further mask this.
- Because VWU_BASE_URL can be overridden via environment, verify you only run this in environments where that variable is trusted; otherwise your key could be directed to an attacker-controlled endpoint.
- The source and homepage are unknown; if you plan to use it regularly, obtain a trustworthy upstream/source, or reimplement a vetted client that documents required env vars and avoids logging key fragments.
If you accept these caveats and verify the script yourself, the skill is usable; otherwise treat it cautiously or request fixes from the publisher.
Capability Analysis
Type: OpenClaw Skill
Name: vwu-sora
Version: 1.0.0
The skill provides a shell script (`vwu-chat.sh`) to interact with the vwu.ai API, but it contains a vulnerability due to a lack of input sanitization. The script directly interpolates the `$PROMPT` and `$MODEL` variables into a JSON payload for `curl`, which allows for JSON injection if the input contains unescaped double quotes or other control characters. While the behavior aligns with the stated purpose, this flaw represents a security risk in how the tool handles agent-provided data.
Capability Assessment
Purpose & Capability
The skill's stated purpose (call vwu.ai sora-2 via an OpenAI-compatible API) matches the included script. However the registry metadata declared no required environment variables or binaries while the SKILL.md and vwu-chat.sh clearly require VWU_API_KEY (and rely on curl, jq, and zsh). The metadata omission is an incoherence: a caller or platform expecting no credentials or binaries may not surface required inputs or preconditions.
Instruction Scope
SKILL.md instructs setting VWU_API_KEY and calling the provided script; that stays within the stated purpose. However the script accesses an additional environment variable VWU_BASE_URL (defaulting to https://vwu.ai) which is not documented in SKILL.md, and the script prints a masked form of the API key (first 8 chars) to the console on quota errors — this can leak part of the key into logs/terminals. The script otherwise only sends model and prompt to the configured base URL.
Install Mechanism
There is no install spec (instruction-only plus a helper script). This is lower risk because nothing is downloaded or executed automatically beyond the included script. Note: the script assumes presence of curl, jq, and a zsh-compatible shell; those binaries are not declared in the metadata.
Credentials
The runtime requires an API key (VWU_API_KEY) but the skill metadata lists no required env vars or primary credential. The script also uses VWU_BASE_URL (undocumented) which could be set to a non-official host to redirect the key. The script exposes the first 8 characters of VWU_API_KEY in error output, which risks partial credential leakage to logs or shared consoles. These are disproportionate transparency/metadata issues that reduce trust.
Persistence & Privilege
No elevated persistence requested: always:false, no system config modifications, and the skill does not modify other skills or request permanent platform presence. Autonomous invocation is allowed (platform default) but not combined with other alarming privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vwu-sora - After installation, invoke the skill by name or use
/vwu-sora - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release - Complete vwu.ai model collection
Metadata
Frequently Asked Questions
What is vwu.ai Sora Models?
Access and use sora-2 model on vwu.ai platform via OpenAI-compatible chat API with required API key configuration. It is an AI Agent Skill for Claude Code / OpenClaw, with 280 downloads so far.
How do I install vwu.ai Sora Models?
Run "/install vwu-sora" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is vwu.ai Sora Models free?
Yes, vwu.ai Sora Models is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does vwu.ai Sora Models support?
vwu.ai Sora Models is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created vwu.ai Sora Models?
It is built and maintained by a3273283 (@a3273283); the current version is v1.0.0.
More Skills