SeedDance AI Video Generation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: seeddance-ai-video Version: 1.0.0 The skill bundle appears benign. The `SKILL.md` provides standard instructions for installing and using a Node.js SDK for AI video generation, including dependency installation via `npm install seeddance-sdk`, configuration, and API key handling via environment variables. File system operations (reading images, writing videos) and network calls (webhooks) are demonstrated for legitimate purposes aligned with video processing. There is no evidence of prompt injection attempts against the agent, data exfiltration, persistence mechanisms, or other malicious activities within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the wrong or compromised package could affect the local development environment.
The guide asks the user to install an external, unpinned npm SDK. This is purpose-aligned for a video API integration, but the artifact does not provide package provenance or a pinned version.
npm install seeddance-sdk
Verify the SDK publisher and package authenticity before installing, and consider pinning a known-good version.
Anyone with the API key may be able to use the video generation service and consume credits or quota.
The skill expects a SeedDance API key, which is appropriate for the stated API integration but gives the SDK delegated access to the user's service account or quota.
export SEEDDANCE_API_KEY="your-api-key-here"
Use a scoped key if available, store it in a protected environment or secret manager, and rotate it if exposed.
Unintended repeated generation could consume API credits or hit rate limits.
The examples submit generation jobs to an external service and acknowledge credit consumption. This is central to the skill's purpose, but users should be aware that repeated or batch use can spend quota.
console.log(`消耗积分: ${result.creditsUsed}`);Confirm prompts, batch sizes, and expected cost before running generation tasks.
If the webhook endpoint is misconfigured, generation results or task metadata could be exposed to the wrong recipient.
The guide includes webhook callbacks for long-running tasks. This is a normal integration pattern, but callbacks may carry task identifiers, status, or generated media links.
webhook: 'https://your-server.com/api/seeddance-callback'
Use HTTPS, authenticate callback requests, and avoid sending callbacks to endpoints you do not control.