Safety Report
Generate videos or images from text, images, or references, create and edit material elements, submit and query asynchronous video generation tasks via bundl...
Security Analysis
medium confidenceThe skill appears to implement a coherent video-generation client, but the package metadata omits the required VIDU_TOKEN and the source/publisher is unknown — this mismatch and lack of provenance warrant caution.
Skill name/description match the included scripts and API usage (image/video upload, submit tasks, query results). However the registry metadata declares no required environment variables while the SKILL.md and every script require VIDU_TOKEN (and optionally VIDU_BASE_URL). That omission is an incoherence between claimed requirements and actual needs.
SKILL.md directs the agent to run the bundled Python scripts which will: read local image files (when you ask to upload), upload them to remote storage via presigned/put URLs, submit tasks to remote API, and stream SSE task-state events back to the model. These behaviors are expected for this purpose but can expose user images and task metadata to the external service; SKILL.md also instructs to 'return the SSE output directly to the model', which grants the model streamed remote state — acceptable for functionality but worth noting for privacy/flow-control.
There is no external download/install step: scripts are bundled and only require Python + requests (and optionally Pillow). No remote install URLs or extracted archives are present.
Scripts require a single service token (VIDU_TOKEN) and optional VIDU_BASE_URL — that is proportionate to the stated purpose. The problem is the skill manifest did not declare these required env vars, creating a mismatch. Also note: providing VIDU_TOKEN gives the skill full API access to the external service (uploading files, creating materials, submitting tasks), so tokens should be limited/rotated and only given if you trust the service/skill.
The skill does not request always:true, does not modify other skills, and is not installing persistent system components. It will run scripts when invoked and may be called autonomously by the agent (default behavior), which increases blast radius but is not by itself a misconfiguration here.
Guidance
This package contains working client scripts for a vidu video-generation API and will upload any local images you point it at and submit jobs using VIDU_TOKEN. Before installing: 1) Note the registry metadata did NOT declare VIDU_TOKEN even though every script requires it — ask the publisher to correct the manifest or refuse until fixed. 2) The skill's source/publisher and homepage are missing; only proceed if you trust the origin. 3) If you proceed, use a minimal, revocable VIDU_TOKEN (least privilege), test with non-sensitive images, and inspect the bundled scripts yourself (they are present readable) to confirm there are no unexpected network calls. 4) Be aware the agent will send your images and prompts to service.vidu.cn or service.vidu.com (configurable), and SSE streams may be forwarded back to the model; if that leaks sensitive metadata avoid using this skill. If you want a higher-confidence assessment, provide the publisher/hosting info or verify the token requirements are added to the skill manifest.
Latest Release
v1.0.0
vidu-skill 1.0.0 - Initial public release of vidu-video-generation skill. - Enables video and material (element) creation via bundled Python scripts—text2video, img2video, headtailimg2video, character2video, and element management. - All interactions use provided scripts; direct API calls are not implemented by this skill. - Supports environment configuration with VIDU_TOKEN and optional VIDU_BASE_URL. - Includes detailed documentation of supported video generation types, arguments, and workflows for both China and International users.
Popular Skills
Published by @calvinzhao on ClawHub
