Runware Image & Video generation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: runware Version: 1.0.0 The OpenClaw AgentSkills skill bundle for 'runware' is designed to interact with the Runware API for image and video generation. The `SKILL.md` provides clear, benign instructions for the AI agent and users, without any prompt injection attempts to manipulate agent behavior. The Python scripts (`scripts/image.py` and `scripts/video.py`) handle API key retrieval (from environment or argument), make legitimate API calls to `https://api.runware.ai/v1`, upload local images as data URIs, and download generated media files to the local filesystem. All observed file and network operations are directly aligned with the stated purpose of the skill, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the scripts access to a Runware account credential and may consume Runware credits for generated media.
The skill requires a Runware credential to make API calls. This is expected for the service, but it is noteworthy because the registry metadata declares no required environment variables or primary credential.
Set `RUNWARE_API_KEY` environment variable, or pass `--api-key` to scripts.
Only provide a Runware API key you intend to use with this skill, prefer an environment variable over command-line arguments, and monitor Runware usage or billing.
Prompts and any input images used for transformations or video generation may be transmitted to Runware's API.
The script sends generation tasks to Runware and can encode local input images for image-to-video requests. This is purpose-aligned, but users should recognize that selected image content leaves the local machine.
url = "https://api.runware.ai/v1" ... with open(path, "rb") as f:
b64 = base64.b64encode(f.read()).decode("utf-8")Do not use private or sensitive images or prompts unless you are comfortable sending them to Runware and have reviewed Runware's privacy and retention terms.
There is less publisher and provenance information available for deciding whether to trust the skill.
The artifact metadata does not identify a source repository or homepage. The included code is visible and no remote install is specified, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Review the included scripts before use and prefer installing skills from publishers or repositories you trust.