Video Generation (t2v & i2v)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do video generation as advertised, but it should be reviewed because it uploads images to third-party hosts and handles local API secrets in a broad way that could expose them.
Install only if you are comfortable using the inference.sh CLI and uploading selected images to ImgBB or SM.MS. Use a dedicated folder and a minimal .env file containing only the needed keys, avoid running from project directories with unrelated secrets, and treat upload errors as potentially sensitive if they include API details.
Publisher note
For using the api, this skill need network.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill is run from a project directory containing unrelated secrets, those secrets may become available to the video-generation CLI, not just the intended video or image-upload credentials.
The script loads every key/value pair from a local .env file into the process environment, and the external inference.sh subprocess inherits the environment by default.
_load_env_file(Path.cwd() / ".env") ... os.environ.setdefault(key, value) ... result = subprocess.run(cmd,
Run the skill from a dedicated directory or pass a dedicated env file containing only required keys. The publisher should whitelist expected variables and pass a filtered environment to subprocesses.
If an ImgBB upload fails, the API key could appear in the agent output, UI logs, or saved conversation transcript.
The ImgBB API key is embedded in the request URL, and upload exceptions are returned as detail text that is printed as JSON; HTTP client exception strings can include the request URL.
url = f"https://api.imgbb.com/1/upload?key={api_key}" ... "detail": str(e) ... print(json.dumps(result, ensure_ascii=False, indent=2))Do not share failure output publicly. The publisher should redact API keys from errors and avoid returning raw exception strings that may contain credential-bearing URLs.
Images used for animation may become accessible through a third-party URL and may be retained according to that service's policies.
Image-to-video requires sending the selected local image to an external image hosting service so the video model can access it.
Process: 1. Upload local image to cloud storage (SM.MS or ImgBB) **OR use a publicly accessible image URL**
Use only images you are comfortable uploading to the selected host, or provide an already public image URL with known access controls and retention.
The behavior and security of video generation depend partly on the external CLI package installed on the user's machine.
The skill depends on a manually installed global third-party CLI without a pinned version in the provided artifacts.
npm install -g @inference.sh/cli
Install the CLI only from the official source, consider pinning or verifying versions, and review the CLI's account, network, and billing behavior.
Using the skill runs local commands that may contact the video-generation service and consume account quota or credits.
The skill runs the external inference.sh CLI to perform generation. It uses an argument list rather than shell=True, which reduces shell-injection risk, and this execution is central to the stated purpose.
cmd = [
"inference.sh",
"video",
"generate", ...]
result = subprocess.run(Confirm prompts, model choices, and output locations before running; use dry-run when uncertain.