Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seedance 2 Video Generator
v0.1.2Generate Werydance 2.0 videos through WeryAI for text-to-video, image-to-video, multi-image video, and first-frame/last-frame transitions. Use when you need...
⭐ 1· 142·0 current·0 all-time
byWeiwei Fan@fwwdn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Skill name/description, required binary (node), and the single required env var (WERYAI_API_KEY) align with the included code, which builds and posts requests to WeryAI endpoints (text-to-video, image-to-video, multi-image-to-video, almighty-reference-to-video). There are no unrelated credentials or unrelated external services requested.
Instruction Scope
SKILL.md and the scripts constrain behavior to generating videos and uploading media. The runtime will stat/read local files you provide (to validate and upload them) and will upload them to the WeryAI upload endpoint; this is expected for a media upload skill but means any local path you pass will be read and transmitted. The skill also defaults to adding audio unless the user explicitly requests silence and requires explicit confirmation before paid submission per SKILL.md.
Install Mechanism
There is no install spec (instruction-only install), and the package includes the JS runtime files. No external download URLs, package installers, or archive extraction are present—risk from installation is low. The runtime uses only standard Node APIs and internal helper modules included in the bundle.
Credentials
The skill declares a single primary credential WERYAI_API_KEY, which is appropriate for a client of the WeryAI API. The code also honors optional WERYAI_* environment overrides (e.g., WERYAI_BASE_URL, poll timeouts) — these are reasonable. No unrelated secrets or high-privilege env vars are requested.
Persistence & Privilege
The skill is not forced-always (always:false), is user-invocable, and does not request elevated agent-wide privileges or modify other skills. It will execute its included scripts when invoked but does not persist beyond that.
Assessment
This skill appears to do what it says: it will call WeryAI APIs and upload any media files you provide. Before installing or invoking it: (1) only provide local file paths you trust—the skill will read and upload those files to WeryAI; (2) ensure you are comfortable giving your WERYAI_API_KEY (check billing/permissions on that key); (3) note the skill defaults to adding audio unless you explicitly request silence; and (4) confirm paid submissions when prompted (SKILL.md requests explicit confirmation). If you need to prevent accidental data exfiltration, avoid supplying arbitrary local paths or run in dry-run mode first to see what would be uploaded.scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
scripts/video_gen.js:24
Environment variable access combined with network send.
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
scripts/video_gen.js:498
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973t8ve6rdfme63ahgzcvwsps83kv9q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY