Tomoviee Image Redraw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the printed token may be able to use the associated Tomoviee API credentials until they are rotated or revoked.
The helper derives and prints a Basic auth token from the user's Tomoviee app key and secret. This is expected for the API client, but the token is sensitive and could be exposed if terminal output or logs are shared.
credentials = f"{app_key}:{app_secret}" ... print(f"Access Token: {token}")Use dedicated, least-privileged Tomoviee credentials, avoid sharing terminal logs that contain the token, and rotate the app secret if it is exposed.
Private image URLs, masks, prompts, callback URLs, or signed links may be processed by the external provider.
The client sends the prompt, source image URL, optional mask URL, callback, and passthrough params to the external Wondershare OpenAPI gateway. This is disclosed and purpose-aligned, but it means image-related data leaves the user's environment.
requests.post(url, headers=self._get_headers(), json=payload, timeout=self.REQUEST_TIMEOUT)
Only submit images and URLs that are intended for external processing, avoid embedding secrets in URLs or params, and review the provider's data handling terms.
Installing dependencies may retrieve a later compatible requests release from the package index.
The documented setup installs a third-party Python dependency using a version range rather than an exact pinned hash. This is common and minimal here, but it is still a dependency-provenance consideration.
requests>=2.31.0,<3.0.0
Install in a virtual environment and pin or lock dependency versions if reproducible builds are important.