Skillv1.0.2

ClawScan security

Tomoviee Text to Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 27, 2026, 1:41 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and dependencies are coherent with its stated purpose (calling Tomoviee's text-to-music API via the Wondershare OpenAPI gateway) and do not request unrelated credentials or install arbitrary third-party code.
Guidance: This package appears to be what it claims: a small Python client for Tomoviee's text-to-music API. Before installing, consider these practical precautions: - Treat your app_key/app_secret as secrets: do not paste them into public logs or share them. The provided helper prints a base64 token to stdout — avoid capturing that output in public logs. - The client will send your prompt and any supplied callback URL to the Tomoviee/Wondershare gateway (openapi.wondershare.cc). Only provide callback URLs you control and trust, because remote callbacks could receive generated content or notifications. - Review the small Python files yourself; they only use requests and call the two documented endpoints. If you want secrets as environment variables, prefer a secure secret store rather than hardcoding or inline CLI arguments. - Run in an isolated Python environment (virtualenv) and install only the stated dependency (requests). If you need higher assurance, test network traffic (e.g., with a proxy) to confirm requests go only to the declared host. If you want additional assurance, request the skill author to declare required env vars (e.g., TOMOVIEE_APP_KEY, TOMOVIEE_APP_SECRET) in metadata so the credential contract is explicit, and verify the gateway host TLS certificate and vendor documentation links before use.

Review Dimensions

Purpose & Capability: okThe name/description state text-to-music via Tomoviee/OpenAPI and the included Python client, auth helper, and docs all implement that same behavior. Required dependencies are minimal (requests) and match the task. No unrelated services, binaries, or broad permissions are requested.
Instruction Scope: okSKILL.md instructs installing dependencies, running the provided auth helper or importing the client, and calling the documented endpoints (openapi.wondershare.cc). The runtime instructions and scripts only reference the declared API endpoints and do not read or transmit unrelated local files or environment state. The client accepts app_key/app_secret as parameters (not implicit scanning of system secrets).
Install Mechanism: okThere is no install spec; the package ships as code plus a pip requirements.txt with a single well-known dependency (requests). No downloads from unknown URLs, no archive extraction, and no creation of non-standard system binaries.
Credentials: okNo required environment variables or primary credential are declared. The code legitimately needs an app_key and app_secret for API auth; these are passed as runtime parameters to the client (or could be provided via env vars by the user). The number and type of secrets requested are proportional to the API integration. There are no unrelated secret names or extra credentials requested.
Persistence & Privilege: okThe skill does not request persistent installation privileges (always: false). The code does not store credentials to disk; the auth helper prints a base64 token to stdout and the client keeps credentials in-memory. The skill does not modify other skills or system-wide settings.