Tomoviee Image to Video
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who sees the printed token may be able to authenticate to the provider as the user's Tomoviee/Wondershare app.
The helper displays a Basic-auth token derived from app_key/app_secret. This is expected for setup, but the printed token is credential-equivalent and should not be exposed in shared logs or transcripts.
token = generate_access_token(app_key, app_secret)
print(f"Access Token: {token}")Use service-specific, rotatable credentials; avoid pasting token output into shared places; rotate the app secret if the token is exposed.
Installing dependencies can modify the local Python environment, though the declared dependency is common and purpose-aligned.
The skill depends on an external Python package. This is normal and proportionate for an HTTP API client, but users should install it from a trusted package index and preferably inside a virtual environment.
requests>=2.31.0,<3.0.0
Install in a virtual environment, use a trusted package index, and consider locking dependencies for repeatable deployments.
If a callback is set to an untrusted endpoint or params contain secrets, task metadata or user-provided data could be exposed outside the provider workflow.
The API supports sending a callback URL and opaque callback parameter to the provider. This is optional and purpose-aligned, but it expands where task-related data may flow if enabled.
- `callback` (optional): callback URL. - `params` (optional): transparent callback parameter.
Use callbacks only with trusted endpoints and do not place secrets or private data in the params field.