ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance Video Generation

v1.0.3

Generate AI videos using ByteDance Seedance. Use when the user wants to: (1) generate videos from text prompts, (2) generate videos from images (first frame, first+last frame, reference images), or (3) query/manage video generation tasks. Supports Seedance 1.5 Pro (with audio), 1.0 Pro, 1.0 Pro Fast, and 1.0 Lite models.

17· 3.9k·14 current·15 all-time
by@jackycser
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (Seedance video generation) aligns with the code and instructions which call Volcengine Ark APIs. However the registry metadata claims no required environment variables or primary credential, while SKILL.md and seedance.py require ARK_API_KEY; that metadata mismatch is an incoherence that could mislead users about secret requirements. Otherwise required functionality (image file handling, text-to-video, task management) matches the stated purpose.
Instruction Scope
SKILL.md and seedance.py instruct the agent/user to read local image files (convert to base64), create and poll remote generation tasks, download generated videos to local paths, and include an optional guide for sending the resulting file via Feishu. Reading local files and saving downloads is expected for a video-generation tool, but the how_to_send_video_via_feishu_app.md describes uploading local files to Feishu (an external endpoint) and refers to OpenClaw's message tool — this extends the runtime scope beyond mere generation and implies access to Feishu credentials stored elsewhere in the agent environment.
Install Mechanism
No install spec or external downloads are declared; this is an instruction-only skill with an included Python CLI (seedance.py). There are no URL downloads or archive extraction steps in the manifest that would introduce high install risk.
!
Credentials
The skill requires an ARK_API_KEY (declared in SKILL.md and enforced by seedance.py) but the registry metadata lists none. That mismatch is problematic because the skill needs a secret directly related to its purpose (Volcengine/ARK API key) — which is proportionate — but the missing declaration reduces transparency. The Feishu upload guide mentions app_id/app_secret/app_access_token held in OpenClaw config; the skill itself does not request those, but users following the guide will incur additional credential use not captured in the skill metadata.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence. It writes downloaded videos to user-specified local paths (normal for a generator) and does not modify other skills or global agent configuration.
What to consider before installing
Before installing or enabling this skill: - Be aware the skill requires an ARK_API_KEY (Volcengine/Ark). The registry metadata incorrectly lists no required env vars; SKILL.md and the included seedance.py will fail without ARK_API_KEY. Treat this as a transparency issue. - The tool will read local image files and write downloaded video files to your filesystem. Do not point it at sensitive images or directories unless you understand the consequences. - The how_to_send_video_via_feishu_app.md shows how to upload generated videos to Feishu; that flow uses Feishu app credentials stored in your OpenClaw config (app_id/app_secret/app_access_token). The skill does not declare those credentials, so if you follow that guide you will be using additional secrets not listed in the skill metadata. - Network endpoints contacted: the CLI talks to https://ark.cn-beijing.volces.com (Volcengine/Ark). The Feishu upload path (if used) contacts open.feishu.cn. Confirm you trust those services and the origin of any API keys you provide. - Recommended precautions: (1) run the CLI in an isolated environment (limited filesystem scope) when testing, (2) use a dedicated/limited ARK API key, (3) review seedance.py locally (it is included) to confirm behavior (it appears to only call the Ark API and download the returned video), and (4) avoid providing highly sensitive local files for generation or upload. - Note: the skill's owner and homepage are unknown, increasing the value of manual code review and caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ddcbzd4jww9v20zj75re7c581168a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments