ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ark-seedance-video-generation

v1.0.0

End-to-end Volcengine Ark Seedance video generation using ARK_API_KEY and the bundled Node.js runner. Use when an agent needs to generate videos, handle text...

0· 29·0 current·0 all-time
by@iunclear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description request node + ARK_API_KEY and the included CLI-like script; those are exactly what a Seedance video runner needs. The only credential required is ARK_API_KEY, which matches the stated Ark integration.
Instruction Scope
SKILL.md limits execution to the bundled scripts/seedance-video.js and requires explicit model selection, disclosures about uploading local media, saving sanitized request.json, and controlled payload usage — all within the stated purpose. Note: the workflow will upload local image/video/audio files (base64 or URLs) to the Ark service; SKILL.md requires the agent to notify the user before doing so, which is appropriate but important for user privacy.
Install Mechanism
No install spec (instruction-only with a bundled script). Only 'node' is required on PATH. Nothing is downloaded from arbitrary URLs or written during installation.
Credentials
Only ARK_API_KEY is declared and used as the primary credential; the script also allows an --api-key override. No unrelated secrets or broad environment access are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration or other skills' credentials. It writes outputs locally (request.json/task.json/assets) within a workspace output directory as expected for a runner.
Assessment
This package appears to be a legitimate wrapper for Volcengine Ark Seedance video APIs and only needs your ARK_API_KEY and Node.js. Before installing, consider: (1) Privacy: local image/video/audio files will be uploaded to the remote Ark service — the SKILL.md requires you be informed and to consent; do not pass sensitive files if you object. (2) Verify the ARK_API_KEY you provide is scoped appropriately (use a dedicated key/account if possible). (3) Confirm the base URL in the script (DEFAULT_BASE_URL) matches the official Ark endpoint for your region/account — the package uses ark.cn-beijing.volces.com in its code and docs, so double-check that against Volcengine's official documentation. (4) The skill enforces a model-selection workflow; review the approved model IDs if that matters for your use. If you need stronger assurances, inspect the remaining script code (sanitize/write functions and any network calls) or run it in an isolated environment first.
scripts/seedance-video.js:215
Environment variable access combined with network send.
!
scripts/seedance-video.js:603
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978c0wsyr2r1px1ev1rzzby2s847veb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binsnode
EnvARK_API_KEY
Primary envARK_API_KEY

Comments