ClawHub

Seedance Video

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cloud video-generation skill, but prompts and image URLs are sent to AceDataCloud for processing.

Install only if you are comfortable sending prompts, image URLs, and related request metadata to AceDataCloud and downstream video-generation providers. Do not submit secrets, confidential business content, private personal images, or regulated data unless you have approval and understand the provider’s retention, billing, and privacy terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to send prompts and, in image-to-video mode, image URLs to a third-party API without clearly warning that user-provided content will leave the local environment and be processed by AceDataCloud/ByteDance infrastructure. This is dangerous because users may unknowingly submit sensitive text or private media, creating confidentiality, privacy, and compliance risks.

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start

```bash
curl -X POST https://api.acedata.cloud/seedance/videos \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a dancer performing contemporary ballet in a misty forest", "model": "seedance-1.0", "wait": true}'
Confidence
92% confidence
Finding
curl -X POST https://api.acedata.cloud/seedance/videos \ -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start

```bash
curl -X POST https://api.acedata.cloud/seedance/videos \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a dancer performing contemporary ballet in a misty forest", "model": "seedance-1.0", "wait": true}'
Confidence
92% confidence
Finding
https://api.acedata.cloud/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal