Doubao Image Video

PassAudited by ClawScan on May 10, 2026.

Overview

This skill transparently wraps Volcengine Ark/Doubao media APIs; it needs an Ark API key and sends prompts or image URLs to that provider, but no hidden or unrelated behavior was found.

Before installing, make sure you are comfortable providing a Volcengine Ark API key and sending generation prompts or image URLs to Volcengine. Use a dedicated/scoped key if possible, monitor provider costs, and save downloads only to safe local paths.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill can use the user's Volcengine/Doubao account permissions and quota for requested media generation and task queries.

Why it was flagged

The helper reads a Volcengine Ark API key from the environment and uses it as Bearer authentication for provider API calls. This is expected for the stated purpose, and the code does not show logging or unrelated transmission of the key.

Skill content

api_key = os.getenv("DOUBAO_API_KEY", "") ... "Authorization": f"Bearer {api_key}"

Recommendation

Use a scoped or dedicated Ark API key where possible, monitor usage/costs, and ensure the registry metadata clearly advertises the DOUBAO_API_KEY requirement.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Prompts, task parameters, and referenced image URLs may be sent to Volcengine Ark and may incur provider usage charges.

Why it was flagged

The skill submits request bodies containing prompts and optional image URLs to Volcengine Ark image/video generation endpoints. This network API use is disclosed and central to the skill's purpose.

Skill content

request_json("POST", f"{BASE_URL}/images/generations", api_key, body) ... request_json("POST", f"{BASE_URL}/contents/generations/tasks", api_key, body)

Recommendation

Only submit prompts and image URLs you are comfortable sending to Volcengine, and confirm endpoint/model choices when cost or privacy matters.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A chosen local file path can be written or overwritten with the downloaded video.

Why it was flagged

When --download-to is supplied, the helper downloads the provider-returned video URL and writes it to the specified local path. This is documented and user-directed.

Skill content

if status == "succeeded" and args.download_to and video_url: result["download"] = download_file(video_url, args.download_to) ... with open(output_path, "wb") as f: f.write(data)

Recommendation

Choose an output path in a safe working directory and avoid overwriting important existing files.