SeedDance AI Video Generation
v1.0.0集成字节跳动SeedDance AI视频生成API,支持文本到视频、图片到视频等功能
⭐ 1· 1.8k·9 current·9 all-time
byAshwin Ramachandran@ashwinramachandran2002
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description and the SKILL.md consistently describe a SeedDance Text-to-Video / Image-to-Video integration — that part is coherent. However the skill metadata claims no required environment variables or credentials, while the instructions explicitly require SEEDDANCE_API_KEY and SEEDDANCE_REGION and a local config file. The missing declaration of those credentials in metadata is an inconsistency.
Instruction Scope
The SKILL.md tells an agent to npm install 'seeddance-sdk', read local files (fs.readFileSync) and write output files, use process.env.SEEDDANCE_API_KEY and SEEDDANCE_REGION, and configure webhooks to arbitrary external endpoints. Those actions are expected for a video SDK, but the instructions reference environment variables that are not declared in the skill metadata and they allow sending callbacks to external URLs (which may expose task results). There are no instructions to access unrelated system files, but the undeclared-env-vars and webhook behavior are notable scope issues.
Install Mechanism
This is an instruction-only skill with no install spec. It recommends running 'npm install seeddance-sdk'. That is a typical install path but involves pulling a package from the public npm registry; because no code is included in the skill bundle and no homepage/source is provided, you cannot verify the package provenance from the skill alone. The absence of an explicit install spec in metadata (or a trusted release URL) reduces traceability.
Credentials
The SKILL.md requires SEEDDANCE_API_KEY and SEEDDANCE_REGION (and shows use of process.env), but the registry metadata lists no required env vars or primary credential. Requesting an API key for the service is reasonable for this functionality, but the metadata omission is a red flag: the platform and users are not being told the skill needs secrets. Also, webhooks and file uploads can transmit user data off-device — consider whether the API key or uploaded media would be accessible to third parties.
Persistence & Privilege
The skill does not request persistent or always-on privileges (always:false). It doesn't modify other skills or system-wide settings in the instructions. No elevated platform privileges are requested in the metadata.
What to consider before installing
Before installing, verify the origin and authenticity of this skill and the 'seeddance-sdk' npm package: find the official homepage or GitHub repository and confirm the package name and maintainer. Do not provide broad or long-lived API keys until you confirm the SDK is legitimate — prefer scoped/limited keys and rotate them after testing. Be cautious about webhook URLs: callbacks will send task results to whatever endpoint you configure, so ensure your endpoint is trusted and authenticated. Because the skill metadata omits required env vars (SEEDDANCE_API_KEY, SEEDDANCE_REGION) and provides no source/homepage, treat this as unverified: either obtain more provenance (official docs or package repo) or request the skill author update metadata to declare required credentials and link the SDK source before use.Like a lobster shell, security has layers — review code before you run it.
aivk974nxsmsq28bj0s43zmwbhp1581f5ahbytedancevk974nxsmsq28bj0s43zmwbhp1581f5ahlatestvk974nxsmsq28bj0s43zmwbhp1581f5ahseeddancevk974nxsmsq28bj0s43zmwbhp1581f5ahvideovk974nxsmsq28bj0s43zmwbhp1581f5ah
License
MIT-0
Free to use, modify, and redistribute. No attribution required.