Safety Report

Vidu API comic strip short film generation capability, with built-in AI-generated videos, images, and TTS.

Name: Vidu API comic strip short film generation capability, with built-in AI-generated videos, images, and TTS.
Rating: 3 (1 reviews)
Author: x-jihua

@x-jihua

将用户创意或剧本转化为完整动漫成片，从剧本创作到自动拼接全流程使用 Vidu API 完成生图、生视频与 TTS，且禁止使用任何非 Vidu 模型。在用户需要制作动漫/动画短片、提供创意主题或详细剧本需求时使用；依赖 ffmpeg 与已配置的 Vidu API 凭证。

249Downloads

1Installs

1Stars

1Versions

API Integration11,971 Video & Audio6,125

Security Analysis

medium confidence

Suspicious0.04 risk

The skill mostly does what its description says (Vidu-based anime/video/TTS pipeline) but there are important mismatches and undeclared requirements (Vidu API env vars, ffmpeg, odd dependency usage) that should be clarified before installing.

Mar 20, 202614 files4 concerns

Purpose & Capabilityconcern

The skill's name/description claim it uses Vidu API and ffmpeg — the code indeed calls Vidu endpoints and requires ffmpeg — but the registry metadata does not declare any required environment variables or primary credential. The scripts expect VIDU_API_KEY or a specific env var COZE_VIDU_API_7610322785025425408. That missing declaration is an incoherence (the skill will fail or silently look for other env names).

Instruction Scopeconcern

SKILL.md instructs installing ffmpeg and to configure Vidu API credentials; the included scripts access environment variables, call external HTTP endpoints (api.vidu.cn and arbitrary user-supplied URLs for assets/BGM), download resources, and write temporary files. The instructions and scripts are broadly scoped to generate/fetch media (expected) but they reference environment variables and a platform-specific import (coze_workload_identity) that are not declared in registry metadata — granting the agent access to system-level install commands and arbitrary network downloads without those requirements documented.

Install Mechanismnote

This is instruction-only (no install spec) so nothing is automatically downloaded at install time, which is lower risk. However SKILL.md suggests running apt-get install ffmpeg (system-level), and the scripts import requests and (in one file) coze_workload_identity.requests — runtime dependencies are not documented. There's no packaged install step, so operator must ensure ffmpeg/requests/coze_workload_identity are present.

Credentialsconcern

The code expects API credentials via VIDU_API_KEY or a vendor/platform-specific env name COZE_VIDU_API_7610322785025425408. Registry metadata lists no required env vars or primary credential. Requiring an API token for Vidu is proportional for this skill, but the missing declaration plus a hard-coded skill id/env-var name is an incoherence and a risk (you may need to provide a differently named secret). Also the coze_workload_identity usage implies platform-specific credential behavior that should be explained.

Persistence & Privilegeok

Flags show always:false and default autonomous invocation settings. The skill does not request permanent platform privileges, does not modify other skills' configs, nor claim to persist credentials itself. This is normal.

Guidance

Before installing or enabling this skill: - Expect to supply a Vidu API key: the scripts look for VIDU_API_KEY or COZE_VIDU_API_7610322785025425408. Ask the author to update the skill metadata to declare the exact required env var name(s) and mark the primary credential. Do not assume your existing tokens will be picked up under another name. - Ensure ffmpeg and Python dependencies (requests and any platform-provided coze_workload_identity module) are installed where the skill will run. The SKILL.md suggests apt-get install ffmpeg but installation is not automated. - Review the scripts yourself (they are included). They make HTTP calls to api.vidu.cn and will download arbitrary URLs provided in timeline configs (video/audio/BGM URLs). Running in an isolated environment is recommended because the skill will fetch and write remote content to disk and may reach internal/external endpoints (risk of SSRF or unintended network access). - Confirm what COZE_* env vars and coze_workload_identity mean on your platform — this looks like a platform-specific credential integration. If you don't recognize it, ask the publisher how credentials are injected and whether credentials are scoped/limited. - If you plan to use real credentials, limit token scope and monitor usage (API calls, credits). Test first with a throwaway/dummy Vidu key to verify behavior. - If these gaps (undeclared env vars, unspecified dependencies) are not fixed by the author, consider the skill suspicious and avoid granting it real credentials or running it in a production environment.

Latest Release

v1.0.1

anime-production-update v1.0.1 - 全新设计动漫成片制作Skill，支持从剧本到最终成片的全流程自动化 - 明确规定所有图片、视频、语音合成步骤只能调用Vidu API（禁止任何非Vidu模型） - 细化10大操作步骤，包括每步的脚本调用、用户确认节点以及可选分支场景支持 - 详细分镜和分镜提示词规范，确保风格、角色、场景高度一致和高质量输出 - 集成ffmpeg和脚本执行需求，实现时间轴自动拼接和成片产出 - 完善用户交互流程，每个关键资产均需用户确认以保证创作质量

Popular Skills

X / Twitter Search

@x · 13 stars

X Followings Digest

@x · 8 stars

X Tweet Fetcher

@x · 8 stars

X Articles

@x · 6 stars

X CDP Automation

@x · 5 stars

ZFONT-CLI

@LANMIN-X · 1 stars

Published by @x-jihua on ClawHub