Image To Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a simple guidance skill for an external image-to-video website, with minor notices about shell permission, external data sharing, and inconsistent provenance metadata.
This skill is likely safe as a guidance-only helper, but review the external VideoAny site before uploading images or prompts, and note that the package requests shell execution even though the included helper only prints instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be allowed to run a local command for this skill, even though the included command is only a guidance-printing helper.
The skill requests shell execution and documents running a local Python helper. This is disclosed and the helper only prints guidance, but shell access is broader than the core need to point users to a website.
permissions: - shell:exec ... python3 scripts/guide_image_to_video.py
Only allow the local helper to run if you want that convenience; otherwise the website URL and instructions can be used without shell execution.
It is harder to confirm exactly who packaged or owns this skill from the supplied metadata.
The registry-facing metadata and bundled _meta.json disagree on owner and slug, and the source is listed as unknown. This is a provenance inconsistency, though the included code is simple and disclosed.
Registry Owner ID: kn7f27wk0e7j7s7mevdajydmmh834sw2; Slug: image-to-video-any; Source: unknown ... _meta.json ownerId: 3jdzb7678scyo2ox04ws6xl62s92e6pm; slug: image-to-video
Prefer installing only if you trust the registry entry and the VideoAny destination; publishers should align owner, slug, source, and homepage metadata.
Images, prompts, and generated content may be handled by the external VideoAny service if you choose to use it.
The workflow is explicitly external: users are guided to provide their image and prompt to the VideoAny website. This is central to the skill and not hidden, but it is still a third-party data-sharing step.
actual generation is done on VideoAny web
Do not upload private or sensitive images unless you are comfortable with VideoAny's terms and privacy practices.