Tomoviee Reference to Image
Security checks across malware telemetry and agentic risk
Overview
This skill is a coherent Tomoviee/Wondershare image-generation API client, with disclosed external API calls and expected API credential use.
This appears safe for its stated purpose. Before installing, confirm you trust the Tomoviee/Wondershare API, use a dedicated API key if possible, and do not submit sensitive reference images or callback URLs unless you are comfortable sharing that data with the provider.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may let the agent submit requests against the user's Tomoviee/Wondershare account, potentially consuming API credits.
The skill requires provider account credentials to create image-generation tasks; this is expected for the stated API integration, but users should treat those credentials as sensitive.
`app_key` and `app_secret` are only used to build `Authorization: Basic <base64(app_key:app_secret)>`.
Use dedicated, revocable API credentials with the minimum necessary account permissions, and do not paste secrets into shared chats or files.
Prompts and referenced image URLs will be shared with the external provider during normal operation.
The client sends the user's prompt and reference image URL in the request payload to the external Wondershare OpenAPI endpoint, which is aligned with the skill's image-generation purpose.
"prompt": prompt, ... "reference_image": ref
Avoid using private or sensitive images unless sharing them with the provider is acceptable, and review any optional callback URL before use.