Runware Image & Video generation
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to match its Runware media-generation purpose, but it needs a Runware API key and sends prompts or selected input images to Runware.
This looks like a normal Runware media-generation skill. Before installing, be aware that it needs a Runware API key, may incur Runware usage costs, and sends prompts or selected images to Runware; avoid using sensitive media unless that data sharing is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the scripts access to a Runware account credential and may consume Runware credits for generated media.
The skill requires a Runware credential to make API calls. This is expected for the service, but it is noteworthy because the registry metadata declares no required environment variables or primary credential.
Set `RUNWARE_API_KEY` environment variable, or pass `--api-key` to scripts.
Only provide a Runware API key you intend to use with this skill, prefer an environment variable over command-line arguments, and monitor Runware usage or billing.
Prompts and any input images used for transformations or video generation may be transmitted to Runware's API.
The script sends generation tasks to Runware and can encode local input images for image-to-video requests. This is purpose-aligned, but users should recognize that selected image content leaves the local machine.
url = "https://api.runware.ai/v1" ... with open(path, "rb") as f:
b64 = base64.b64encode(f.read()).decode("utf-8")Do not use private or sensitive images or prompts unless you are comfortable sending them to Runware and have reviewed Runware's privacy and retention terms.
There is less publisher and provenance information available for deciding whether to trust the skill.
The artifact metadata does not identify a source repository or homepage. The included code is visible and no remote install is specified, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Review the included scripts before use and prefer installing skills from publishers or repositories you trust.