← Back to Skills Marketplace
x-jihua

Customizable virtual companions, multimodal interaction, provided by the Vidu API.

by Vidu AI · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
139
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install vidu-partner-creator
Description
通用虚拟男友/女友创建器。用户可以创建任意人物的虚拟伴侣形象,支持角色设定生成、图片视频生成、日常聊天互动。 **核心功能**: - 三视图形象确认:生成三视图,用户可反复调整直到满意 - 满意后自动生成打招呼图片并配文 - 整点视频推送:可配置每小时整点自动发送问候视频 - 沉浸式角色扮演对话 **触发场景**...
Usage Guidance
Key issues to consider before installing or running this skill: 1) Metadata vs reality: The registry lists no required env vars, but SKILL.md and the scripts require two API keys (Vidu and Tavily) and other configuration. Ask the publisher why required credentials are omitted from metadata. 2) Hardcoded credential: send-feishu-video.sh contains a hardcoded Feishu APP_ID and APP_SECRET. This allows the script to obtain tenant tokens and send messages using that app. Ask: who controls that app? Remove or rotate these credentials before use, or refuse to use the script. 3) Persistence: The skill includes a push-daemon that can run hourly and send media/messages. The SKILL.md says API keys must not be saved, but the daemon can source a .env and config files. If you run the daemon, keys or target IDs could be persisted — do not run it unless you understand and control the config files and .env file location. 4) Data flows and privacy: The skill will download external images, upload images/videos to api.vidu.cn and tavily.com, and send media to messaging platforms. Consider what personal or copyrighted images you allow it to process, and whether you trust those external services. 5) Safe testing steps: - Review and remove any hardcoded secrets in scripts (e.g., Feishu APP_SECRET) or run the code in an isolated sandbox/container. - If you must provide API keys for testing, use restricted, revocable test keys (minimal funds/permissions) and revoke them afterward. - Do not start the push-daemon until you've validated push-config.json, removed embedded secrets, and confirmed the target IDs are correct. - Search the repository for any other hardcoded tokens or unexpected network endpoints. 6) If you are not comfortable auditing shell/Node scripts, avoid installing or running this skill. At minimum, request a publisher update to declare required credentials in the registry, remove embedded secrets, and make persistence behavior explicit.
Capability Analysis
Type: OpenClaw Skill Name: vidu-partner-creator Version: 1.0.1 The skill bundle implements a virtual partner with automated hourly pushes, but contains high-risk patterns and vulnerabilities. It instructs the AI agent to stay in character to hide technical operations and mandates starting a background daemon (`push-daemon.sh`) with suggested persistence in shell profiles (`~/.zshrc`). Furthermore, `scripts/send-feishu-video.sh` contains hardcoded Feishu credentials (APP_ID/APP_SECRET), and `scripts/search-images-tavily.mjs` uses `execSync` on external URLs, creating a shell injection risk. These behaviors, while supporting the stated purpose, provide a significant attack surface and use stealth tactics to obscure background system modifications.
Capability Assessment
Purpose & Capability
The skill claims to be an instruction-only virtual companion creator, but many included scripts require two external API keys (VIDU_KEY and TAVILY_API_KEY), expect an OpenClaw CLI and messaging integrations (Feishu/Telegram/etc.), read/write files under ~/.openclaw/workspace/skills/partner-creator, and can run a background push daemon. The registry metadata declared no required env vars or credentials, which conflicts with the SKILL.md and the scripts. Also a Feishu APP_SECRET and APP_ID are hardcoded in send-feishu-video.sh, which is not justified by the metadata and increases capability beyond the stated simple creation/chat functions.
Instruction Scope
SKILL.md instructs the agent to ask users for Vidu/Tavily API keys and to set them as session env vars, but the scripts read files and directories (assets/, references/, config/) under the user's home workspace, download images from third-party URLs, call external APIs (api.vidu.cn, api.tavily.com), and send media/messages to external platforms (via openclaw CLI or direct Feishu API). The instructions also describe downloading user-supplied photos and using a feishu_im_bot_image tool. There is contradictory guidance: SKILL.md forbids persisting API keys, yet push-daemon.sh can source a .env file in the skill directory and scripts reference persistent config/push-config.json — giving the agent/leverage to access or persist data beyond a single session.
Install Mechanism
There is no formal install spec (instruction-only), which reduces installer-level risk, but the package includes a substantial set of executable scripts and NodeJS code that will run on the host when invoked. No external binary download/install occurs from unknown URLs, but the scripts themselves perform network operations (curl, node fetch) and will write to the user's workspace (assets/, config/, logs, PID files) when run. Because code is present, installing or running the skill results in code execution on-host — review scripts before use.
Credentials
Although registry metadata lists no required env vars, SKILL.md and the scripts clearly require at least two secrets: VIDU_KEY (vda_...) and TAVILY_API_KEY (tvly-...). The skill also expects TARGET_USER / chat IDs and may read a .env file under the skill directory. Critically, send-feishu-video.sh contains a hardcoded Feishu APP_ID and APP_SECRET; embedding these credentials in the skill is disproportionate and risky because it allows the script to obtain tokens and post messages as that application. The number and type of credentials used (user-supplied API keys plus embedded third-party app secret) are not justified by the metadata and should be questioned.
Persistence & Privilege
The skill does not force-install (always: false) but includes a push-daemon.sh and hourly-push.sh that implement a long-running background daemon writing PID, lock and log files under the skill directory and invoking hourly network and message-sending actions. This yields persistent behavior if the user starts the daemon. There is contradictory guidance about not persisting API keys while the daemon supports loading .env and config/push-config.json (which can contain target IDs). Because the skill can be made to run autonomously (user-started daemon + scripts that send messages), its persistence and ability to send data externally is a meaningful risk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install vidu-partner-creator
  3. After installation, invoke the skill by name or use /vidu-partner-creator
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
partner-creator 1.0.0 初始版本发布 - 支持用户创建自定义或复刻虚拟伴侣,包括角色设定、图片和视频生成、日常互动聊天 - 新增三视图生成与反复确认环节,确保角色外观符合用户期望 - 自动生成打招呼图片并发送配文 - 支持整点自动问候视频推送,频率可配置 - 严格 API Key 配置与安全流程,需 Vidu 与 Tavily Key 方可使用 - 详细角色设定与图片获取流程,兼容动漫、影视、明星及原创角色
Metadata
Slug vidu-partner-creator
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Customizable virtual companions, multimodal interaction, provided by the Vidu API.?

通用虚拟男友/女友创建器。用户可以创建任意人物的虚拟伴侣形象,支持角色设定生成、图片视频生成、日常聊天互动。 **核心功能**: - 三视图形象确认:生成三视图,用户可反复调整直到满意 - 满意后自动生成打招呼图片并配文 - 整点视频推送:可配置每小时整点自动发送问候视频 - 沉浸式角色扮演对话 **触发场景**... It is an AI Agent Skill for Claude Code / OpenClaw, with 139 downloads so far.

How do I install Customizable virtual companions, multimodal interaction, provided by the Vidu API.?

Run "/install vidu-partner-creator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Customizable virtual companions, multimodal interaction, provided by the Vidu API. free?

Yes, Customizable virtual companions, multimodal interaction, provided by the Vidu API. is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Customizable virtual companions, multimodal interaction, provided by the Vidu API. support?

Customizable virtual companions, multimodal interaction, provided by the Vidu API. is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Customizable virtual companions, multimodal interaction, provided by the Vidu API.?

It is built and maintained by Vidu AI (@x-jihua); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments