Tomoviee Tail to Video
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent Tomoviee/Wondershare video-generation client, with expected notes about API credentials and sending prompt/image URLs to the disclosed provider endpoint.
This looks reasonable for its stated purpose. Before installing, verify the Tomoviee/Wondershare endpoint and developer portal, provide API credentials only through trusted local handling, avoid exposing the printed auth token, and submit only image URLs and prompts you are comfortable sharing with the provider.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the supplied Tomoviee/Wondershare API credentials to create and poll video-generation tasks.
The skill needs provider account credentials to authenticate to the disclosed API; this is expected for its purpose, but users are granting API/account authority.
Sensitive credentials required: `app_key` and `app_secret`.
Use credentials from the official provider portal, limit their scope if the provider supports it, and rotate them if they are exposed.
Anyone who can see terminal output, logs, or copied command output may be able to reuse the derived authorization token.
The helper intentionally prints a Base64 Basic-auth token derived from app_key:app_secret. This is user-directed, but the printed token is sensitive.
print(f"Access Token: {token}")Avoid running the helper in shared terminals or CI logs, and do not paste the printed token into tickets, chats, or public files.
Prompts and image URLs provided for generation are shared with the external video-generation provider.
The client sends the user's prompt and first/last image URLs in the API payload to the disclosed Wondershare gateway. This is purpose-aligned, but it crosses a provider data boundary.
"prompt": prompt, "image": image, "image_tail": image_tail
Only submit images and prompts you are comfortable sending to the provider, and avoid embedding secrets or private tokens in image URLs, prompts, callbacks, or params.
Installing dependencies from an untrusted package index could introduce unrelated package risk.
The user-directed pip install resolves a non-exact version of the requests package. This is common and purpose-aligned, but dependency provenance still depends on the user's package source.
requests>=2.31.0,<3.0.0
Install in a virtual environment using a trusted package index, and consider pinning exact dependency versions for production use.