IMA AI Video Generator — Short & Promo Video, Text to Video, Image to Video Generation
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ima-video-ai Version: 1.0.13 The IMA AI Video Generator skill bundle is a well-structured and transparent implementation for interfacing with the IMA Studio video generation API. It includes comprehensive logic for task routing, model selection, and media processing using ffmpeg/ffprobe. While it requires an API key and performs network requests to api.imastudio.com and imapi.liveme.com (for media uploads), these behaviors are explicitly disclosed in SKILL.md, clawhub.json, and SECURITY.md. The code also includes security-conscious features such as SSRF protection in media_utils.py (validating public IP addresses for remote downloads) and uses safe subprocess execution patterns. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The service can use the provided IMA key to look up products, create tasks, and request upload tokens, which may also relate to account credits or subscription limits.
The skill requires a user credential and sends it to external service endpoints; this is disclosed and expected for the IMA integration.
"The IMA API key is required at runtime (--api-key or IMA_API_KEY). It is sent to api.imastudio.com ... and to imapi.liveme.com ..."
Use a scoped or test key first, prefer the IMA_API_KEY environment variable over command-line secrets, and do not change API endpoints unless you trust them.
Images, videos, audio references, prompts, and generated outputs may leave the local machine and be processed by the provider.
The skill may transfer user-supplied media to external API and storage services as part of the video-generation workflow.
Local media files and derived video cover frames use IMA's upload-token flow and then upload to the pre-signed HTTPS storage URL returned by that service.
Only provide media you are willing to upload to IMA-related services, and review the provider’s privacy and retention terms before using sensitive content.
Future runs may reuse saved model preferences, and local logs may contain operational details until cleaned up.
The skill persists model preferences and logs across runs, which is disclosed and purpose-aligned.
"readWrite": ["~/.openclaw/memory/ima_prefs.json", "~/.openclaw/logs/ima_skills/"], "retention": "Logs are auto-cleaned after 7 days; preferences remain until user deletes them."
Review or delete ~/.openclaw/memory/ima_prefs.json and ~/.openclaw/logs/ima_skills/ if you do not want preferences or logs retained.
A future install could use dependency versions different from those originally tested by the skill author.
The dependency versions are lower-bounded rather than fully pinned, so installation may fetch newer package versions over time.
requests>=2.25.0 Pillow>=10.0.0
Install in a virtual environment and pin or review dependency versions if you need reproducible or high-assurance deployments.
A normal generation run may create a provider task and consume credits or quota.
The natural-language wrapper validates first, but if --dry-run is not set and validation succeeds, it proceeds to execution.
parser.add_argument("--dry-run", action="store_true", help="Only parse and validate; do not execute") ... return run_cli(cli_args, logger=logger)Use --dry-run, --list-models, or the doctor script before first use or whenever you want to verify model choice and parameters without creating a task.