Tomoviee Reference to Image
v1.0.2Generate images from a reference image using Tomoviee Image-to-Image API (`tm_reference_img2img`) through Wondershare OpenAPI gateway (`https://openapi.wonde...
⭐ 0· 245·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included client code and docs. The Python client targets the declared endpoints (openapi.wondershare.cc) and implements the tm_reference_img2img workflow; no unrelated cloud providers, binaries, or secret-scoped env vars are requested.
Instruction Scope
SKILL.md and code stay within the image-to-image task. Two notes: (1) the client accepts a callback URL and will pass it to the remote API, which may cause the remote service to POST results to an arbitrary endpoint — exercise caution when supplying callbacks; (2) references/prompt_guide.md includes broader video/audio prompt guidance beyond strict image-to-image scope (harmless documentation but extra content).
Install Mechanism
No automated install script or remote binary downloads. The repo only lists a single dependency (requests) in requirements.txt and recommends 'pip install -r requirements.txt'. All code is included in the package (no fetch-from-unknown-URL behavior).
Credentials
The skill does not declare required env vars or primary credentials. Credentials (app_key/app_secret) are supplied at runtime to the client and used only to build a Basic auth header in memory; there are no extraneous credential requests or access to system config paths.
Persistence & Privilege
always:false and disable-model-invocation left default; the skill does not request persistent system-wide changes or modify other skills. The code does not write credentials to disk and has no self-elevating install steps.
Assessment
This package appears to be what it claims: a Tomoviee image-to-image client that calls openapi.wondershare.cc. Before using it, consider: (1) You'll need to supply app_key/app_secret at runtime — do not paste highly privileged/production secrets unless you trust the vendor and gateway. (2) Avoid providing sensitive reference images if you do not want them sent to a third-party service. (3) Be careful with the optional 'callback' parameter — if you pass a callback URL the remote service may POST generated results (or data) to that URL; use only endpoints you control. (4) The repository contains all client code; if you want extra assurance, review the small Python files yourself (they only use requests and base64). (5) Test with non-sensitive data first and prefer short-lived/test credentials where possible.Like a lobster shell, security has layers — review code before you run it.
latestvk97ezqw28gk37094hjc4t3hb2x83qhj2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.