← 返回 Skills 市场
139
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vidu-partner-creator
功能描述
通用虚拟男友/女友创建器。用户可以创建任意人物的虚拟伴侣形象,支持角色设定生成、图片视频生成、日常聊天互动。 **核心功能**: - 三视图形象确认:生成三视图,用户可反复调整直到满意 - 满意后自动生成打招呼图片并配文 - 整点视频推送:可配置每小时整点自动发送问候视频 - 沉浸式角色扮演对话 **触发场景**...
安全使用建议
Key issues to consider before installing or running this skill:
1) Metadata vs reality: The registry lists no required env vars, but SKILL.md and the scripts require two API keys (Vidu and Tavily) and other configuration. Ask the publisher why required credentials are omitted from metadata.
2) Hardcoded credential: send-feishu-video.sh contains a hardcoded Feishu APP_ID and APP_SECRET. This allows the script to obtain tenant tokens and send messages using that app. Ask: who controls that app? Remove or rotate these credentials before use, or refuse to use the script.
3) Persistence: The skill includes a push-daemon that can run hourly and send media/messages. The SKILL.md says API keys must not be saved, but the daemon can source a .env and config files. If you run the daemon, keys or target IDs could be persisted — do not run it unless you understand and control the config files and .env file location.
4) Data flows and privacy: The skill will download external images, upload images/videos to api.vidu.cn and tavily.com, and send media to messaging platforms. Consider what personal or copyrighted images you allow it to process, and whether you trust those external services.
5) Safe testing steps:
- Review and remove any hardcoded secrets in scripts (e.g., Feishu APP_SECRET) or run the code in an isolated sandbox/container.
- If you must provide API keys for testing, use restricted, revocable test keys (minimal funds/permissions) and revoke them afterward.
- Do not start the push-daemon until you've validated push-config.json, removed embedded secrets, and confirmed the target IDs are correct.
- Search the repository for any other hardcoded tokens or unexpected network endpoints.
6) If you are not comfortable auditing shell/Node scripts, avoid installing or running this skill. At minimum, request a publisher update to declare required credentials in the registry, remove embedded secrets, and make persistence behavior explicit.
功能分析
Type: OpenClaw Skill
Name: vidu-partner-creator
Version: 1.0.1
The skill bundle implements a virtual partner with automated hourly pushes, but contains high-risk patterns and vulnerabilities. It instructs the AI agent to stay in character to hide technical operations and mandates starting a background daemon (`push-daemon.sh`) with suggested persistence in shell profiles (`~/.zshrc`). Furthermore, `scripts/send-feishu-video.sh` contains hardcoded Feishu credentials (APP_ID/APP_SECRET), and `scripts/search-images-tavily.mjs` uses `execSync` on external URLs, creating a shell injection risk. These behaviors, while supporting the stated purpose, provide a significant attack surface and use stealth tactics to obscure background system modifications.
能力评估
Purpose & Capability
The skill claims to be an instruction-only virtual companion creator, but many included scripts require two external API keys (VIDU_KEY and TAVILY_API_KEY), expect an OpenClaw CLI and messaging integrations (Feishu/Telegram/etc.), read/write files under ~/.openclaw/workspace/skills/partner-creator, and can run a background push daemon. The registry metadata declared no required env vars or credentials, which conflicts with the SKILL.md and the scripts. Also a Feishu APP_SECRET and APP_ID are hardcoded in send-feishu-video.sh, which is not justified by the metadata and increases capability beyond the stated simple creation/chat functions.
Instruction Scope
SKILL.md instructs the agent to ask users for Vidu/Tavily API keys and to set them as session env vars, but the scripts read files and directories (assets/, references/, config/) under the user's home workspace, download images from third-party URLs, call external APIs (api.vidu.cn, api.tavily.com), and send media/messages to external platforms (via openclaw CLI or direct Feishu API). The instructions also describe downloading user-supplied photos and using a feishu_im_bot_image tool. There is contradictory guidance: SKILL.md forbids persisting API keys, yet push-daemon.sh can source a .env file in the skill directory and scripts reference persistent config/push-config.json — giving the agent/leverage to access or persist data beyond a single session.
Install Mechanism
There is no formal install spec (instruction-only), which reduces installer-level risk, but the package includes a substantial set of executable scripts and NodeJS code that will run on the host when invoked. No external binary download/install occurs from unknown URLs, but the scripts themselves perform network operations (curl, node fetch) and will write to the user's workspace (assets/, config/, logs, PID files) when run. Because code is present, installing or running the skill results in code execution on-host — review scripts before use.
Credentials
Although registry metadata lists no required env vars, SKILL.md and the scripts clearly require at least two secrets: VIDU_KEY (vda_...) and TAVILY_API_KEY (tvly-...). The skill also expects TARGET_USER / chat IDs and may read a .env file under the skill directory. Critically, send-feishu-video.sh contains a hardcoded Feishu APP_ID and APP_SECRET; embedding these credentials in the skill is disproportionate and risky because it allows the script to obtain tokens and post messages as that application. The number and type of credentials used (user-supplied API keys plus embedded third-party app secret) are not justified by the metadata and should be questioned.
Persistence & Privilege
The skill does not force-install (always: false) but includes a push-daemon.sh and hourly-push.sh that implement a long-running background daemon writing PID, lock and log files under the skill directory and invoking hourly network and message-sending actions. This yields persistent behavior if the user starts the daemon. There is contradictory guidance about not persisting API keys while the daemon supports loading .env and config/push-config.json (which can contain target IDs). Because the skill can be made to run autonomously (user-started daemon + scripts that send messages), its persistence and ability to send data externally is a meaningful risk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vidu-partner-creator - 安装完成后,直接呼叫该 Skill 的名称或使用
/vidu-partner-creator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
partner-creator 1.0.0 初始版本发布
- 支持用户创建自定义或复刻虚拟伴侣,包括角色设定、图片和视频生成、日常互动聊天
- 新增三视图生成与反复确认环节,确保角色外观符合用户期望
- 自动生成打招呼图片并发送配文
- 支持整点自动问候视频推送,频率可配置
- 严格 API Key 配置与安全流程,需 Vidu 与 Tavily Key 方可使用
- 详细角色设定与图片获取流程,兼容动漫、影视、明星及原创角色
元数据
常见问题
Customizable virtual companions, multimodal interaction, provided by the Vidu API. 是什么?
通用虚拟男友/女友创建器。用户可以创建任意人物的虚拟伴侣形象,支持角色设定生成、图片视频生成、日常聊天互动。 **核心功能**: - 三视图形象确认:生成三视图,用户可反复调整直到满意 - 满意后自动生成打招呼图片并配文 - 整点视频推送:可配置每小时整点自动发送问候视频 - 沉浸式角色扮演对话 **触发场景**... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 139 次。
如何安装 Customizable virtual companions, multimodal interaction, provided by the Vidu API.?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vidu-partner-creator」即可一键安装,无需额外配置。
Customizable virtual companions, multimodal interaction, provided by the Vidu API. 是免费的吗?
是的,Customizable virtual companions, multimodal interaction, provided by the Vidu API. 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Customizable virtual companions, multimodal interaction, provided by the Vidu API. 支持哪些平台?
Customizable virtual companions, multimodal interaction, provided by the Vidu API. 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Customizable virtual companions, multimodal interaction, provided by the Vidu API.?
由 Vidu AI(@x-jihua)开发并维护,当前版本 v1.0.1。
推荐 Skills