Tomoviee Text to Video
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tomoviee app secret or encoded token could be exposed if terminal history, process listings, or command output are shared.
The helper takes the Tomoviee app secret from command-line arguments and prints the Basic auth token. Credential use is necessary for the API, but the encoded token should be treated as sensitive.
app_secret = sys.argv[2]
...
print(f"Access Token: {token}")Use a dedicated or limited Tomoviee API key, avoid sharing command output, and rotate the secret if the printed token is exposed.
A future allowed version of the dependency may be installed by pip.
The skill depends on a Python package resolved at install time rather than an exact locked version. `requests` is a standard dependency for this API client, so this is a supply-chain hygiene note rather than suspicious behavior.
requests>=2.31.0,<3.0.0
Install in a virtual environment and pin or lock dependencies if you need reproducible installs.
If you provide a callback URL or sensitive passthrough parameters, task information may be delivered to that endpoint.
The client can pass an optional callback URL and passthrough parameters to the provider. This is a normal async API feature, but it creates an additional webhook-style data path if used.
if callback:
payload["callback"] = callback
if params:
payload["params"] = paramsUse only trusted HTTPS callback URLs and avoid placing secrets or private data in prompts, callbacks, or passthrough params.