Seedream
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the user's Volcengine account and may consume paid quota when generating images.
The script uses a user-provided Volcengine API key as a bearer token to call the image-generation service.
"Authorization": f"Bearer {api_key}"Use a dedicated, least-privileged API key if available, monitor usage costs, and prefer environment-variable handling over pasting secrets into shared command logs.
Prompts and reference images provided to the skill are shared with the external image-generation provider.
The script sends the prompt and optional reference image data to Volcengine's external API endpoint.
url = "https://ark.cn-beijing.volces.com/api/v3/images/generations" ... payload = {"model": model, "prompt": prompt, "size": size} ... payload["image"] = image_inputAvoid sending sensitive prompts or private images unless you are comfortable with the provider's data handling terms.
Running the skill may fetch or resolve a Python package even though the registry metadata lists no required binaries or install spec.
The script declares a runtime Python dependency that will typically be resolved when invoked through `uv run`; this is purpose-aligned but not captured in the registry requirements.
# dependencies = [ # "requests>=2.31.0", # ]
Install from trusted package sources and consider pinning or reviewing dependencies in controlled environments.