critical
suspicious.dangerous_exec
- Location
- bin/cli.js:69
- Finding
- Shell command execution detected (child_process).
seedance-2-video-gen
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the npm installer can execute local shell checks and copy files into the OpenClaw skills directory.
Why it was flagged
The installer uses shell execution to locate commands and detect the OpenClaw skills directory. In the visible code this is purpose-aligned installer plumbing, but users should know local commands are executed if they run the installer.
Skill content
const { execSync, spawnSync } = require('child_process'); ... spawnSync(os.platform() === 'win32' ? 'where' : 'which', [cmd]Recommendation
Run the installer only from a trusted source, and prefer the standard OpenClaw installation route if you do not need the npm installer.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill may use your EvoLink account and credits when generating videos.
Why it was flagged
The skill requires an EvoLink API key to call the video generation service. This is expected for the stated integration, but it grants access to the user's EvoLink account/API quota.
Skill content
requires":{"bins":["jq","curl"],"env":["EVOLINK_API_KEY"]},"primaryEnv":"EVOLINK_API_KEY"Recommendation
Use a dedicated or limited API key if available, store it securely, and monitor EvoLink usage or billing.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Prompts, images, video clips, or audio you provide for generation may be transmitted to EvoLink/Seedance for processing.
Why it was flagged
The skill is designed to send user prompts and selected media to the EvoLink API for generation. This external provider flow is disclosed and purpose-aligned, but it is still a data boundary users should understand.
Skill content
Seedance 2.0 AI video generation via EvoLink API. Three modes — text-to-video, image-to-video (1-2 images), reference-to-video (images + videos + audio).
Recommendation
Avoid sending private or sensitive media unless you are comfortable with EvoLink's handling of that data, and review the provider's privacy and retention terms.