Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seedance Video Creation
v1.0.0Generate AI videos using ByteDance Seedance. Use when the user wants to: (1) generate videos from text prompts, (2) generate videos from images (first frame,...
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Seedance video generation) matches the included code and instructions: the Python CLI talks to the Ark API to create/query/download video tasks. However the registry metadata claims no required env vars/credentials while the SKILL.md and seedance.py require ARK_API_KEY. Also supplemental docs reference Feishu app credentials for sending files — those credentials are not declared in the skill metadata. These mismatches are unexpected.
Instruction Scope
SKILL.md and seedance.py perform expected actions for this purpose: reading local image files (base64 conversion), calling the Ark API, polling task status, and downloading video files. The included how_to_send_video_via_feishu_app.md documents reading local video files and using an external 'message' tool that uploads to Feishu (which requires Feishu app tokens and filesystem access). The instructions do not read arbitrary system files or other credentials beyond what is documented, but they do assume local file read/write and network access to external APIs.
Install Mechanism
This is an instruction-only skill with an included Python CLI file; there is no external install script or third‑party download URL. The code will run locally (seedance.py) when invoked. No unusual install mechanism or remote archive extraction is present.
Credentials
The runtime requires ARK_API_KEY (seedance.py will exit if it's not set) but the registry metadata lists no required environment variables — an explicit inconsistency. The Feishu integration doc describes needing Feishu app_access_token / app_id/app_secret stored in OpenClaw config, but those credentials are not declared by the skill. This mismatch increases the risk of surprising credential use or missing disclosure.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills' configurations. It reads/writes user-specified file paths when downloading results (normal for a file-generation tool).
What to consider before installing
Before installing or running this skill:
- Expect to provide an ARK_API_KEY environment variable; verify this requirement in the registry metadata or ask the publisher to update metadata to include it. Do not supply keys you do not trust.
- Inspect the included seedance.py yourself (it is shipped with the skill) — it runs locally and makes HTTP requests to https://ark.cn-beijing.volces.com; confirm there are no additional hidden endpoints or suspicious behavior.
- The helpful Feishu guide shows how to upload generated videos via a 'message' tool that needs Feishu app credentials and reads local files. Those Feishu credentials are not declared by the skill — verify how your OpenClaw instance manages Feishu tokens and whether you consent to using them.
- Run the tool in a restricted environment (non-root user, sandbox/container) if you are unsure, and test with non-sensitive API keys or limited-scope keys.
- Ask the publisher to resolve metadata inconsistencies (declare ARK_API_KEY in requires.env, correct ownerId/slug if needed) before trusting wider use.
If you cannot verify the origin or correct metadata, treat the skill as potentially risky and do not run it with production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97762bcasb94t717ynza5dqt983epsv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.