vwu.ai doubao Models

Call and manage seven doubao models on vwu.ai with OpenAI-compatible API using your vwu.ai API key.

This skill appears to implement a simple vwu.ai client, but there are a few things to check before installing or using it: - The registry metadata does not declare the required VWU_API_KEY even though both SKILL.md and the script require it. Treat this as a documentation/mismatch issue and prefer skills that declare their required credentials explicitly. - Inspect vwu-chat.sh yourself (it is small) and confirm you trust the source. The script sends your VWU_API_KEY to VWU_BASE_URL; by default it uses https://vwu.ai, but an environment variable (VWU_BASE_URL) can override the endpoint. Only set VWU_BASE_URL to a trusted domain. - The script prints the first 8 characters of your API key in quota-error messages. While not the full key, that partial exposure could be undesirable in logs or shared terminals. - If you proceed, set VWU_API_KEY only in trusted environments and avoid setting VWU_BASE_URL unless you control the endpoint. Consider asking the publisher to update registry metadata to declare VWU_API_KEY as a required credential and to document VWU_BASE_URL behavior. Confidence in this assessment is high given the included files; the main risks are documentation inconsistencies and the undocumented/overridable endpoint.

Type: OpenClaw Skill Name: vwu-doubao Version: 1.0.0 The skill provides a shell script (`vwu-chat.sh`) to interact with the vwu.ai API for Doubao models. It contains a vulnerability where the user-provided prompt and model name are directly injected into a JSON string within a `curl` command without proper escaping or sanitization. This allows for JSON injection if the input contains special characters, which is a significant security flaw in automated environments, although no evidence of intentional malice or unauthorized data exfiltration was found.