SeedDance AI Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for using a third-party AI video API, with expected API-key, media-upload, SDK-install, and webhook examples but no hidden execution or destructive behavior.

Before installing, verify that the seeddance-sdk npm package is the intended publisher/package, protect the SEEDDANCE_API_KEY in a secret manager or private environment file, avoid submitting sensitive media or prompts unless approved for that service, and use only webhook URLs you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples instruct users to send prompts and media to a third-party API using an API key, but do not warn that user-supplied content may be transmitted to an external service and potentially stored or processed خارج the local environment. In a skill that handles images, videos, and prompts, this omission can lead to unintended disclosure of sensitive content or credentials misuse, especially when webhook callbacks are also involved.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal