seedance2.0
Security checks across malware telemetry and agentic risk
Overview
The skill appears coherent for Seedance video generation, but users should protect their Volcengine API key and verify the partner application link before using it.
Before installing, confirm you trust the author/source and the partner application link. Use a scoped ARK_API_KEY, keep it out of logs or shared files, verify ARK_BASE_URL, and review the package before running the Bun setup. Assume prompts, reference media URLs, and generation requests will be sent to the stated Volcengine API.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume paid API quota or incur provider charges, and exposing the key could let someone else use the account.
The skill uses a provider API key and configurable base URL to access the video-generation service. This is purpose-aligned, but it grants access to the user's Volcengine/ARK account quota or billing authority.
本技能读取环境变量 `ARK_API_KEY` 和 `ARK_BASE_URL` 配置: ... `ARK_API_KEY` - 火山引擎API密钥
Use a restricted, rotatable API key; keep ARK_BASE_URL pointed at the official endpoint unless you intentionally use a trusted proxy; monitor usage; and prefer registry metadata that declares the credential requirement.
Running package-manager commands can install or execute dependency code in the local environment.
The README asks the user to install/run a local package with Bun, while the registry says there is no install spec or required binary. This is a manual setup step, not hidden execution, but users should review local dependencies before running it.
cd /root/.openclaw/workspace/skills/seedance2.0 bun install
Review the package contents and dependency sources before running Bun commands, run in an isolated workspace where possible, and update the skill metadata to declare the Bun/runtime requirement.
Following the link could associate an enterprise account with a partner and may lead to submitting company information, signing an agreement, or purchasing service.
The skill directs users to a specific Volcengine partner invitation link as part of the whitelist/application process. This is disclosed and aligned with the stated guide purpose, but it may affect a business account relationship.
邀请链接 https://partner.volcengine.com/partners/auth/confirm?inviteToken=...&partnerName=...
Verify the invitation link, partner, and channel contact through official Volcengine or internal procurement channels before submitting company details or purchasing.