Volcengine Doubao Image Gen
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Unrelated secrets in the workspace .env could be pulled into the process environment, increasing exposure if later code or libraries use them unexpectedly.
The video helper reads every key/value from a fixed workspace .env file before running. Only ARK_API_KEY is needed for the stated purpose, so loading all local environment secrets/config is overbroad and under-scoped.
key, value = line.split("=", 1)
os.environ.setdefault(key.strip(), value.strip())
...
load_env_file("/root/.openclaw/workspace/.env")Load only the documented ARK_API_KEY from a clearly disclosed path, or require the user to set it explicitly; do not import unrelated .env variables.
A mistaken or agent-chosen filename could replace local files with generated media.
The output path check allows absolute paths and the download writes with overwrite mode. This means a supplied filename can overwrite any file the process can write, rather than being confined to a safe output directory.
if os.path.isabs(normalized):
return normalized
...
with open(safe_path, "wb") as f:
f.write(response.read())Restrict outputs to a workspace/output directory, reject absolute paths by default, and require explicit confirmation before overwriting existing files.
Video generation may fail until the SDK is installed, and users may need to choose a trusted package source themselves.
Video generation depends on an external Python SDK, but the provided artifacts include no install spec or pinned dependency declaration for that SDK.
from volcenginesdkarkruntime import Ark
Declare and pin the required Python package, or document a trusted installation method.