Image To Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent image-to-video guide, but it relies on an external CLI, account login, and uploading user-selected images to model providers.
Before installing or using this skill, verify the inference.sh CLI installer, understand that infsh commands may run under your logged-in account, and avoid uploading private or sensitive images unless you accept the provider data exposure.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs the installer, they are trusting the remote inference.sh installation script and downloaded binary.
The skill recommends installing an external CLI by piping a remote script to sh. This is disclosed and central to the workflow, but it is still a supply-chain-sensitive setup step.
curl -fsSL https://cli.inference.sh | sh && infsh login
Review the installer source and checksum information, or use the manual install and verification path before running the CLI.
An agent using the skill can operate the infsh CLI to submit generation jobs, so users should ensure commands reference the intended model, prompt, and image file.
The declared tool access allows Bash execution for infsh commands. This is expected for a CLI-based video-generation skill, but the wildcard is broader than a single fixed command.
allowed-tools: Bash(infsh *)
Approve infsh actions only when they match the requested image/video task and use the intended local files.
The skill may act through the user's inference.sh account when running model jobs.
The workflow requires logging into inference.sh, meaning generated jobs may use the user's service account or session.
infsh login
Use an account with appropriate limits and review any model-run command before allowing it to proceed.
Private photos, product images, or sensitive prompts could be uploaded to external generation providers if used with this skill.
The examples send image paths and prompts to external model apps through inference.sh. This is expected for image-to-video generation, but it means user content is shared with external services.
infsh app run falai/wan-2-5-i2v --input '{ ... "image": "path/to/lake-image.png" }'Only use images and prompts that you are comfortable sending to inference.sh and the selected model provider.