Tomoviee Image to Video
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tomoviee-image-to-video Version: 1.0.3 The skill bundle is a legitimate integration for the Tomoviee AI Image-to-Video service provided by Wondershare. The Python client (scripts/tomoviee_img2video_client.py) and authentication helper (scripts/generate_auth_token.py) perform standard API interactions with the documented endpoints at openapi.wondershare.cc. No evidence of data exfiltration, malicious execution, or prompt injection was found; the code logic is transparent and aligns with the stated purpose of generating videos from images.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who sees the printed token may be able to authenticate to the provider as the user's Tomoviee/Wondershare app.
The helper displays a Basic-auth token derived from app_key/app_secret. This is expected for setup, but the printed token is credential-equivalent and should not be exposed in shared logs or transcripts.
token = generate_access_token(app_key, app_secret)
print(f"Access Token: {token}")Use service-specific, rotatable credentials; avoid pasting token output into shared places; rotate the app secret if the token is exposed.
Installing dependencies can modify the local Python environment, though the declared dependency is common and purpose-aligned.
The skill depends on an external Python package. This is normal and proportionate for an HTTP API client, but users should install it from a trusted package index and preferably inside a virtual environment.
requests>=2.31.0,<3.0.0
Install in a virtual environment, use a trusted package index, and consider locking dependencies for repeatable deployments.
If a callback is set to an untrusted endpoint or params contain secrets, task metadata or user-provided data could be exposed outside the provider workflow.
The API supports sending a callback URL and opaque callback parameter to the provider. This is optional and purpose-aligned, but it expands where task-related data may flow if enabled.
- `callback` (optional): callback URL. - `params` (optional): transparent callback parameter.
Use callbacks only with trusted endpoints and do not place secrets or private data in the params field.