ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance Video

v1.0.0

Generate AI dance and motion videos with Seedance (ByteDance) via AceDataCloud API. Use when creating videos from text prompts or animating images into motio...

0· 101·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes a Seedance (ByteDance) video generation integration that uses an AceDataCloud API token — that credential is appropriate for the stated purpose. However, the registry metadata at the top of the submission lists no required environment variables or primary credential while the SKILL.md explicitly says ACEDATACLOUD_API_TOKEN is required; this metadata mismatch is an incoherence.
Instruction Scope
The instructions are narrowly scoped to: export an ACEDATACLOUD_API_TOKEN, call the AceDataCloud API endpoints (api.acedata.cloud), poll tasks, and optionally install/use the mcp-seedance helper. The instructions do not ask the agent to read unrelated files, system credentials, or send data to third-party endpoints beyond the named AceDataCloud domains.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md recommends 'pip install mcp-seedance' and references a hosted MCP endpoint. The absence of an install spec means the skill won't automatically install anything, but users/agents following the doc would install a third-party pip package — verify that package origin and contents before installing.
!
Credentials
The only environment variable the instructions require is ACEDATACLOUD_API_TOKEN, which is proportional to the task. The concern is that the skill manifest/registry metadata does not declare this required env var or a primary credential, creating ambiguity about what credentials will actually be requested at runtime and by whom.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills or system settings, and is user-invocable. Autonomous invocation is allowed by default but is not combined with other high-privilege requests here.
What to consider before installing
This skill appears to be a straightforward wrapper around AceDataCloud's Seedance API, but there are a few mismatches you should resolve before installing: (1) SKILL.md says you must set ACEDATACLOUD_API_TOKEN, yet the registry metadata lists no required env vars — assume the token is required and confirm what scope/permissions it needs; (2) the docs suggest installing a third-party pip package (mcp-seedance) — verify the package's publisher, source repository, and PyPI page before running pip; (3) the skill's source/homepage is unknown and the registry owner ID is opaque — prefer skills from verified publishers; (4) image-to-video functionality animates people in uploaded images — consider privacy and consent implications for any subjects; and (5) use a least-privilege, revocable API token (avoid using broad production credentials while testing). If the publisher can provide authoritative docs or a public repo for both the AceDataCloud API and the mcp-seedance package, that would increase confidence; if not, proceed cautiously (or treat this as untrusted code).

Like a lobster shell, security has layers — review code before you run it.

latestvk970vgptjvb8pe5vdhk5pxd5q183c055

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments