← 返回 Skills 市场
280
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vwu-sora
功能描述
Access and use sora-2 model on vwu.ai platform via OpenAI-compatible chat API with required API key configuration.
安全使用建议
This skill appears to be a simple wrapper for vwu.ai's chat API, but there are several mismatches and small risks you should consider before installing:
- The package metadata says no env vars are required, but the script demands VWU_API_KEY and also uses VWU_BASE_URL ( undocumented ). Ask the publisher to declare required environment variables and explain VWU_BASE_URL usage.
- The script requires curl, jq, and a zsh-compatible shell but doesn't declare those binaries. Ensure your runtime has these binaries and review the script before running.
- On quota errors the script prints the first 8 characters of your API key to the console. If you run this in shared logs or CI, that may leak part of your key—ask the maintainer to remove or further mask this.
- Because VWU_BASE_URL can be overridden via environment, verify you only run this in environments where that variable is trusted; otherwise your key could be directed to an attacker-controlled endpoint.
- The source and homepage are unknown; if you plan to use it regularly, obtain a trustworthy upstream/source, or reimplement a vetted client that documents required env vars and avoids logging key fragments.
If you accept these caveats and verify the script yourself, the skill is usable; otherwise treat it cautiously or request fixes from the publisher.
功能分析
Type: OpenClaw Skill
Name: vwu-sora
Version: 1.0.0
The skill provides a shell script (`vwu-chat.sh`) to interact with the vwu.ai API, but it contains a vulnerability due to a lack of input sanitization. The script directly interpolates the `$PROMPT` and `$MODEL` variables into a JSON payload for `curl`, which allows for JSON injection if the input contains unescaped double quotes or other control characters. While the behavior aligns with the stated purpose, this flaw represents a security risk in how the tool handles agent-provided data.
能力评估
Purpose & Capability
The skill's stated purpose (call vwu.ai sora-2 via an OpenAI-compatible API) matches the included script. However the registry metadata declared no required environment variables or binaries while the SKILL.md and vwu-chat.sh clearly require VWU_API_KEY (and rely on curl, jq, and zsh). The metadata omission is an incoherence: a caller or platform expecting no credentials or binaries may not surface required inputs or preconditions.
Instruction Scope
SKILL.md instructs setting VWU_API_KEY and calling the provided script; that stays within the stated purpose. However the script accesses an additional environment variable VWU_BASE_URL (defaulting to https://vwu.ai) which is not documented in SKILL.md, and the script prints a masked form of the API key (first 8 chars) to the console on quota errors — this can leak part of the key into logs/terminals. The script otherwise only sends model and prompt to the configured base URL.
Install Mechanism
There is no install spec (instruction-only plus a helper script). This is lower risk because nothing is downloaded or executed automatically beyond the included script. Note: the script assumes presence of curl, jq, and a zsh-compatible shell; those binaries are not declared in the metadata.
Credentials
The runtime requires an API key (VWU_API_KEY) but the skill metadata lists no required env vars or primary credential. The script also uses VWU_BASE_URL (undocumented) which could be set to a non-official host to redirect the key. The script exposes the first 8 characters of VWU_API_KEY in error output, which risks partial credential leakage to logs or shared consoles. These are disproportionate transparency/metadata issues that reduce trust.
Persistence & Privilege
No elevated persistence requested: always:false, no system config modifications, and the skill does not modify other skills or request permanent platform presence. Autonomous invocation is allowed (platform default) but not combined with other alarming privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vwu-sora - 安装完成后,直接呼叫该 Skill 的名称或使用
/vwu-sora触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release - Complete vwu.ai model collection
元数据
常见问题
vwu.ai Sora Models 是什么?
Access and use sora-2 model on vwu.ai platform via OpenAI-compatible chat API with required API key configuration. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 280 次。
如何安装 vwu.ai Sora Models?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vwu-sora」即可一键安装,无需额外配置。
vwu.ai Sora Models 是免费的吗?
是的,vwu.ai Sora Models 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
vwu.ai Sora Models 支持哪些平台?
vwu.ai Sora Models 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 vwu.ai Sora Models?
由 a3273283(@a3273283)开发并维护,当前版本 v1.0.0。
推荐 Skills