← 返回 Skills 市场
267
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vwu-veo
功能描述
调用 vwu.ai 平台上的 veo 系列模型,支持五个版本,兼容 OpenAI API,需配置 VWU_API_KEY 后使用。
安全使用建议
This skill mostly does what it says (calls vwu.ai models), but there are a few red flags you should address before trusting it: 1) The registry metadata does not declare VWU_API_KEY or the script's binary dependencies (curl, jq) — expect to set these yourself. 2) The script honors an undocumented VWU_BASE_URL environment variable; if someone sets that to an attacker-controlled host your API key and prompts could be sent there. Only run this script when VWU_BASE_URL is unset or explicitly set to https://vwu.ai. 3) The script prints the first 8 characters of your API key on quota errors — consider removing that behavior and rotate your key if it has been exposed. 4) There's no verified homepage or publisher info — prefer an official source or verify the script contents before use. Recommended actions: inspect the vwu-chat.sh file yourself, run it in a restricted environment, ensure curl and jq are present, set VWU_BASE_URL only to the official host, and use a limited/revocable API key.
功能分析
Type: OpenClaw Skill
Name: vwu-veo
Version: 1.0.0
The skill bundle provides a command-line interface for the vwu.ai API. However, the script `vwu-chat.sh` contains a shell injection vulnerability because it expands the `$PROMPT` and `$MODEL` variables directly within a double-quoted string in the `curl` command. This allows for arbitrary command execution on the host system if the input contains shell metacharacters (e.g., `$(command)` or backticks). While the script appears intended for legitimate API interaction, the lack of input sanitization poses a significant security risk.
能力评估
Purpose & Capability
The script and SKILL.md match the stated purpose: calling vwu.ai veo models using an API key. However the registry metadata does not declare the required environment variable (VWU_API_KEY) or the binary dependencies (curl, jq), which is an incoherence between what the skill needs and what it declares.
Instruction Scope
SKILL.md documents only VWU_API_KEY but the script also reads VWU_BASE_URL (defaults to https://vwu.ai) — that env var is undocumented. Allowing VWU_BASE_URL to be overridden means API requests (and the API key) could be redirected to an arbitrary endpoint if someone sets that env var. The script reads the included models.txt and prints a masked prefix of the API key on quota errors (exposes first 8 characters). Otherwise the instructions stick to the stated task and do not access unrelated files.
Install Mechanism
No install spec (instruction-only with an included script). Nothing is downloaded or installed by the skill itself, which minimizes install-time risk.
Credentials
Requiring VWU_API_KEY is proportional to the skill's purpose, but the skill metadata failed to declare it. The script also relies on curl and jq (not declared). The undocumented VWU_BASE_URL env var increases risk because it can be used to redirect traffic (and the API key) to other hosts. The script reveals the first 8 characters of the API key in some error messages, which is unnecessary exposure.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated privileges or modify other skills or system-wide configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vwu-veo - 安装完成后,直接呼叫该 Skill 的名称或使用
/vwu-veo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
vwu.ai Veo Models 是什么?
调用 vwu.ai 平台上的 veo 系列模型,支持五个版本,兼容 OpenAI API,需配置 VWU_API_KEY 后使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 267 次。
如何安装 vwu.ai Veo Models?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vwu-veo」即可一键安装,无需额外配置。
vwu.ai Veo Models 是免费的吗?
是的,vwu.ai Veo Models 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
vwu.ai Veo Models 支持哪些平台?
vwu.ai Veo Models 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 vwu.ai Veo Models?
由 a3273283(@a3273283)开发并维护,当前版本 v1.0.0。
推荐 Skills