ClawHub

05 Image To Video

v1.0.3

Convert static images into dynamic video clips with motion and subtle effects using Lingya AI image-to-video technology.

0· 115·1 current·1 all-time
by@ghwyever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (image → video) match the implementation. The manifest and SKILL.md declare API_KEY, API_BASE, and MODEL_NAME and the code uses exactly those values to call an /img2video endpoint. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md describes the required input (image_url) and the need to configure API_KEY/API_BASE/MODEL_NAME. The runtime code follows that scope: it sends image_url to API_BASE/img2video and returns data.video_url. It does not read other files, env vars, or system state.
Install Mechanism
There is no install spec and the skill is effectively instruction+small JS wrapper. Nothing is downloaded or written to disk by an installer. The runtime uses fetch to call the external API.
Credentials
The required environment variables (API_KEY, API_BASE, MODEL_NAME) are appropriate for contacting an external image-to-video service and are declared in the manifest. Caution: API_BASE is arbitrary — if you set it to an attacker-controlled endpoint, the skill will send image_url (and the API_KEY in Authorization header) to that endpoint. Ensure the API_KEY has limited scope and that API_BASE points to a trusted provider. Also be careful when passing private or sensitive image URLs, as they will be transmitted to the configured service.
Persistence & Privilege
The skill is not always:true, does not request persistent system privileges, and does not modify other skills or system-wide config. Autonomous invocation is allowed (default) but that is expected for skills and not in itself a security problem.
Assessment
This skill simply forwards the provided image URL to whatever API_BASE you configure and returns the video URL the service responds with. Before installing: 1) Only set API_BASE to an official, trusted Lingya AI (or other) endpoint — a malicious API_BASE can exfiltrate images and your API_KEY. 2) Give the API_KEY minimal permissions and rotate it if possible. 3) Avoid using private or sensitive image URLs unless you trust the service and have reviewed its privacy policy. 4) If you need higher assurance, review the skill.js source yourself (it is short) and verify API_BASE and API responses during testing with non-sensitive images. Note: manifest.json version differs from registry metadata (minor discrepancy) but does not affect behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cvk6mthnxt9c6zgp614emd84jnvs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments