Dream Talking Image
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for generating talking-image videos, but users should notice that it uses a service API key and sends image/audio URLs to an external provider.
This appears safe to install if you intend to use the Dream/Newport Talking Image API. Before configuring it, confirm the provider links, use a limited API key if available, and avoid sending private photos or audio unless you are comfortable with the provider processing them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make authorized API requests using the configured key, which may consume account quota or access paid provider functionality.
The skill requires a provider API key and uses it as a bearer token for the Talking Image API. This is expected for the stated purpose, but it is still account-level authority.
requires: {"env": ["DREAMTALKINGIMAGE_API_KEY"]} ... Authorization: Bearer {DREAMTALKINGIMAGE_API_KEY}Use a service-specific API key with appropriate limits, monitor usage, and rotate the key if it is exposed.
Photos, audio, and generated-video inputs may be processed by a third-party service, which could matter for private or sensitive media.
The documented workflow sends image and audio locations, and possibly uploaded local files, to an external API provider for processing.
Upload your local files to OSS first ... POST https://api.newportai.com/api/async/talking_image ... "photoUrl" ... "audioUrl"
Avoid using sensitive personal media unless you trust the provider's privacy and retention practices; prefer expiring or access-controlled URLs where possible.
Users have less registry-level context for verifying who published the skill or whether the linked API documentation is the intended provider.
The artifact has limited provenance metadata, although it is instruction-only and contains no install script or executable code.
Source: unknown Homepage: none
Verify the API documentation and provider identity before configuring an API key.