IMA AI Video Generator — Short & Promo Video, Text to Video, Image to Video Generation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned cloud video generator, but it uses your IMA API key, sends selected prompts/images to IMA services, and keeps local logs.

Install this only if you trust IMA Studio with your API key, prompts, and selected images. Use a revocable key, avoid uploading sensitive media, monitor account credit usage, and periodically review or clear the local log directory if needed.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI03: Identity and Privilege Abuse

Low

What this means

Video generation may consume IMA credits or otherwise act under the user's IMA account.

Why it was flagged

The skill needs an IMA API key to create video-generation tasks, so it can use the user's IMA account and associated credits.

Skill content

requires:
  env:
    - IMA_API_KEY
  primaryCredential: IMA_API_KEY

Recommendation

Use a revocable API key, monitor IMA account usage, and confirm cost-sensitive model choices before generating expensive videos.

ASI07: Insecure Inter-Agent Communication

Medium

What this means

Prompts and selected images are processed by external services rather than staying entirely local.

Why it was flagged

The documentation explicitly discloses that prompts, task parameters, images, and the IMA key are sent to IMA-operated cloud endpoints.

Skill content

`api.imastudio.com` | Main API ... Prompts, model params, task IDs ...
`imapi.liveme.com` | Image upload service ... Image files ... IMA API key

Recommendation

Do not submit sensitive prompts or private images unless you trust IMA Studio's handling of that data.

ASI06: Memory and Context Poisoning

Low

What this means

Local logs may retain generation history or sensitive file path information.

Why it was flagged

The script writes local logs and may record local image file paths or URL prefixes used for generation.

Skill content

Logs: ~/.openclaw/logs/ima_skills/ima_create_YYYYMMDD.log ... logger.info(f"Read local file: {source} ({len(image_bytes)} bytes)")

Recommendation

Review or delete the skill's log directory if local path/history retention is a concern.

ASI02: Tool Misuse and Exploitation

Info

What this means

Running the command would remove the skill's local logs.

Why it was flagged

This is a destructive shell command, but it is scoped to the skill's own log directory and is presented as manual log cleanup.

Skill content

Delete logs: `rm -rf ~/.openclaw/logs/ima_skills/`

Recommendation

Run the cleanup command only if you intentionally want to delete IMA skill logs.

ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users have less independent provenance information for the packaged code.

Why it was flagged

The supplied registry metadata does not include a source repository/provenance link, which matters because the skill handles an API key and user media.

Skill content

Source: unknown
Homepage: https://imastudio.com

Recommendation

Verify that the skill publisher and homepage are the expected IMA Studio source before providing an API key.