ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tomoviee Image to Video

v1.0.3

Generate videos from image + text prompts using Tomoviee Image-to-Video API (`tm_img2video_b`) through Wondershare OpenAPI gateway (`https://openapi.wondersh...

0· 349·0 current·0 all-time
by@wondershare-boop

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wondershare-boop/tomoviee-image-to-video.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tomoviee Image to Video" (wondershare-boop/tomoviee-image-to-video) from ClawHub.
Skill page: https://clawhub.ai/wondershare-boop/tomoviee-image-to-video
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install wondershare-boop/tomoviee-image-to-video

ClawHub CLI

Package manager switcher

npx clawhub@latest install tomoviee-image-to-video
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md consistently implement a Tomoviee image-to-video client that talks to the documented Wondershare gateway; the runtime dependency (requests) and included scripts are appropriate for that purpose. However the registry metadata/manifest lists no required environment variables or primary credential even though SKILL.md and the client require app_key and app_secret — this mismatch is incoherent and unexpected.
!
Instruction Scope
Runtime instructions are narrowly scoped to creating tasks, polling results, and optionally using a callback URL. They only target the documented openapi.wondershare.cc endpoints. Concerns: (1) SKILL.md and scripts rely on app_key/app_secret but the manifest does not declare them; (2) scripts/generate_auth_token.py prints the base64 token to stdout (could be logged); (3) the optional callback parameter means results can be POSTed to arbitrary URLs, which could leak generated content or metadata if misused.
Install Mechanism
No remote downloads or obscure installers are used. The package includes a simple requirements.txt (requests) and instructs users to pip install -r requirements.txt — this is proportionate and low risk compared to download-based installs.
!
Credentials
The API legitimately requires app_key and app_secret (used to build Basic <base64(...)> Authorization headers). That is proportionate to the stated purpose, but the skill metadata declares no required env vars or primary credential — a manifest omission. Additional notes: base64 encoding is reversible (not encryption); generate_auth_token prints the token, increasing chance of accidental exposure; no other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not include persistent install steps. It runs as a client of the external API and does not install background services or system-wide changes.
What to consider before installing
This package mostly does what it claims, but there are some red flags to resolve before installing: (1) the manifest does not declare the required credentials (app_key/app_secret) — ask the publisher to add them as required env vars or document how credentials will be provided securely; (2) avoid running scripts that print tokens (scripts/generate_auth_token.py) in environments where stdout is logged or shared; treat the app_key/app_secret as sensitive and inject them via a secure secret mechanism rather than pasting into chat; (3) be cautious with the optional callback URL — only use trusted endpoints because the service can POST generated results (and potentially user-supplied images/prompts) to that URL; (4) verify you trust the external gateway (openapi.wondershare.cc) and review its data retention/privacy policy because your images/prompts will be sent to a third party. If the author can correct the manifest to declare the credentials and avoid helper scripts that print secrets, my confidence that this package is coherent would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjfprdzf0e3qn14ycr8y9kn83pgxy
349downloads
0stars
4versions
Updated 19h ago
v1.0.3
MIT-0
@wondershare-boop
latest
Download

Tomoviee AI Image-to-Video

Overview

Generate a 5-second video from a still image and prompt.

  • API capability: tm_img2video_b
  • Create endpoint: https://openapi.wondershare.cc/v1/open/capacity/application/tm_img2video_b
  • Result endpoint: https://openapi.wondershare.cc/v1/open/pub/task

Provider and Endpoint Provenance

Use this mapping to verify provider identity and endpoint provenance:

  • Vendor portals: https://www.tomoviee.ai and https://www.tomoviee.cn
  • Runtime gateway host used by this skill: https://openapi.wondershare.cc
  • Compatible gateway alias: https://open-api.wondershare.cc

This skill sends runtime API calls only to openapi.wondershare.cc.

Credential Handling

  • Sensitive credentials required: app_key and app_secret.
  • Credentials are only used to build Authorization: Basic <base64(app_key:app_secret)>.
  • Credentials are kept in process memory and are not written to disk by this skill.
  • Do not hardcode credentials in source files or commit them to git.

Dependencies

  • Runtime dependency: requests>=2.31.0,<3.0.0
  • Install with: pip install -r requirements.txt

Quick Start

Authentication helper

python scripts/generate_auth_token.py YOUR_APP_KEY YOUR_APP_SECRET

Python Client

from scripts.tomoviee_img2video_client import TomovieeImg2VideoClient

client = TomovieeImg2VideoClient("app_key", "app_secret")

API Usage

Basic Example

task_id = client.image_to_video(
    prompt="Camera slowly pushes in, gentle motion in the scene, cinematic lighting",
    image="https://example.com/landscape.jpg",
    resolution="720p",
    duration=5,
    aspect_ratio="original",
)

result = client.poll_until_complete(task_id)
import json
video_url = json.loads(result["result"])["video_path"][0]
print(video_url)

Parameters

  • prompt (required): motion and scene guidance text.
  • image (required): source image URL (JPG/JPEG/PNG/WEBP, <200M).
  • resolution (optional): 720p or 1080p, default 720p.
  • duration (optional): only 5 supported.
  • aspect_ratio (optional): 16:9, 9:16, 4:3, 3:4, 1:1, original.
  • camera_move_index (optional): camera movement type 1-46.
  • callback (optional): callback URL.
  • params (optional): transparent callback parameter.

Async Workflow

  1. Create task and get task_id
  2. Poll with poll_until_complete(task_id)
  3. Parse video URL from result

Status codes:

  • 1 queued
  • 2 processing
  • 3 success
  • 4 failed
  • 5 cancelled
  • 6 timeout

Resources

  • scripts/tomoviee_img2video_client.py - main API client
  • scripts/tomoviee_image_to_video_client.py - compatibility import shim
  • scripts/generate_auth_token.py - auth token helper
  • references/video_apis.md - API reference and constraints
  • references/camera_movements.md - camera movement index reference
  • references/prompt_guide.md - prompt writing guidance

External Resources

  • Developer portal (global): https://www.tomoviee.ai/developers.html
  • API docs (global): https://www.tomoviee.ai/doc/ai-video/image-to-video.html
  • Developer portal (mainland): https://www.tomoviee.cn/developers.html
  • API docs (mainland): https://www.tomoviee.cn/doc/ai-video/image-to-video.html

Comments

Loading comments...