Back to skill
Skillv1.0.0
ClawScan security
Seedance 2.0 Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 12:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included script match its stated purpose (submitting Seedance 1.5 Pro jobs to PoYo) and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears to do exactly what it says: submit Seedance 1.5 Pro jobs to PoYo using your POYO_API_KEY. Before installing, ensure you trust poyo.ai and that you keep your POYO_API_KEY secret. When using the included script or examples, be careful which file you pass as the payload (or what you pipe into stdin)—the script will upload whatever JSON you provide. If you use callback_url, make sure the callback endpoint you supply is secure and under your control so results or sensitive metadata are not sent to an unintended receiver.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (curl), and required env var (POYO_API_KEY) are directly related to submitting jobs to PoYo's generate/submit endpoint. The included shell script and API reference are appropriate for this purpose.
- Instruction Scope
- noteSKILL.md and the script instruct the agent to POST JSON payloads (from stdin or a file) to https://api.poyo.ai/api/generate/submit and to handle task_id and polling/webhooks. This is within scope. One caution: the script will read and send whatever JSON file or stdin you provide—passing an unintended local file could upload sensitive content. Also callbacks (callback_url) will cause PoYo to POST to the URL you supply, which is expected behavior but requires the user to control/verify that endpoint.
- Install Mechanism
- okNo install spec — instruction-only with a small helper script. Uses curl already present on system; nothing is downloaded or written by an installer.
- Credentials
- okOnly POYO_API_KEY is required and declared as primaryEnv. That single credential is proportional and necessary for API access; no unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill does not request persistent/always-on presence, does not modify other skills or system-wide settings, and relies on explicit user-provided POYO_API_KEY. Autonomous invocation is allowed by default but not combined with elevated privileges here.