Doubao Seedream & Seedance API Skill
Security checks across malware telemetry and agentic risk
Overview
The skill appears purpose-aligned for using Volcengine media-generation APIs, but users should notice the API-key use, local history storage, and external setup instructions.
Before installing, confirm you trust any external setup commands, configure your Volcengine API key carefully, expect prompts/images/video requests to be sent to Volcengine, and periodically review or clear the local ~/.volcengine state if it may contain sensitive content.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user follows the external setup path, they are trusting code outside the reviewed ClawHub artifact package.
The recommended setup asks the user to run an external repository's install script, while the provided ClawHub install spec does not include that script.
git clone https://github.com/Lychee-AI-Team/seedream-skill.git cd seedream-skill ./install.sh
Review the external repository and install script before running it, or prefer installing only the reviewed dependencies and files you intended to use.
Using the skill can consume Volcengine account quota or incur API charges tied to the configured key.
The skill requires a Volcengine API key for authenticated provider calls; this is expected for the integration but is sensitive account authority.
Volcengine API Key ... export ARK_API_KEY="your-api-key-here"
Use a dedicated or least-privilege API key if available, keep it out of shared files, and monitor provider usage.
Generated-content history may remain on the local machine and could be reused for later suggestions or visible to other local processes/users depending on file permissions.
The skill persists preferences, task state, and operation history locally, which may include prompts, task identifiers, and result metadata.
self.state_dir = state_dir or Path.home() / ".volcengine" self.state_file = self.state_dir / "state.json" self.tasks_file = self.state_dir / "tasks.json" self.history_file = self.state_dir / "history.json"
Avoid putting sensitive information in prompts, and clear or protect ~/.volcengine history files if privacy matters.