muapi-seedance-2
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its video-generation purpose, but its helper script loads a local .env file as executable shell code and uses an undeclared MuAPI key/upload flow, so it should be reviewed before use.
Before installing, review or remove the .env sourcing behavior, set MUAPI_KEY deliberately, verify the referenced core media helper is trusted, and only pass images or prompts you are comfortable sending to MuAPI.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper from a directory with an unexpected or malicious .env file could execute local commands with the user's permissions.
The helper automatically sources a .env file from the working directory. In shell, source executes file contents, so a crafted .env can run commands before the video-generation logic.
if [ -f ".env" ]; then source .env 2>/dev/null || true; fi
Do not source .env as shell code. Parse only the needed MUAPI_KEY from a trusted, documented config path, or require the user to export it explicitly.
Use of the skill may consume the user's MuAPI account quota or billing and sends requests under that account.
The script requires and sends a MuAPI API key, while the registry metadata declares no required environment variables or primary credential.
if [ -z "$MUAPI_KEY" ]; then echo "Error: MUAPI_KEY not set" >&2; exit 1; fi ... HEADERS=(-H "x-api-key: $MUAPI_KEY" -H "Content-Type: application/json")
Declare MUAPI_KEY in the skill metadata and use a least-privilege provider key where possible.
Images passed with --file leave the local machine and are sent to the external MuAPI service.
The i2v mode uploads user-selected local files to the MuAPI provider. This is purpose-aligned, but it is a sensitive data movement users should understand.
echo " --file PATH Local image file (auto-uploaded, repeatable)" ... curl -s -X POST "${MUAPI_BASE}/upload_file" ... -F "file=@${FPATH}"Only provide files intended for upload, and document provider privacy/retention expectations for uploaded media.
The t2v path depends on local platform code not reviewed here; if that helper is changed or untrusted, behavior could differ.
Text-to-video mode delegates execution to a core helper outside the provided file manifest, so its exact behavior is not visible in the supplied artifacts.
CORE_SCRIPT="$SCRIPT_DIR/../../../../core/media/generate-video.sh" ... bash "$CORE_SCRIPT"
Ensure the referenced core media helper is from the trusted OpenClaw installation and document this runtime dependency.