Seedance Video Generation BytePlus
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its BytePlus video-generation purpose, but its helper can automatically run a local shell command to open downloaded videos on macOS and it under-declares its credential and sharing requirements.
Use this skill only if you trust the publisher and intend to send prompts/images to BytePlus. Set ARK_API_KEY in a controlled environment, avoid passing private files, confirm any delete/cancel or Feishu-send action, and consider disabling or fixing the macOS auto-open shell command before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On macOS, a download can launch a local app automatically, and malformed path/task ID values could create command-injection risk.
After downloading a video, the helper automatically invokes a shell command on macOS using a path built from the download directory and task ID. This is not necessary for video generation and is safer as a non-shell subprocess call or explicit user action.
if sys.platform == "darwin":
os.system(f'open "{filepath}"')Remove the auto-open behavior or replace it with a safe call such as subprocess.run(["open", str(filepath)], check=False) and only run it after explicit user confirmation.
Using the skill can create, list, and delete tasks under the user's BytePlus account and may incur provider costs.
A provider API key is expected for this BytePlus integration, but the registry metadata declares no required env vars or primary credential. No credential leakage is shown.
The user must set the `ARK_API_KEY` environment variable with a BytePlus API Key.
Declare ARK_API_KEY in metadata, use a least-privileged key if available, and monitor BytePlus usage/billing.
Private images or prompts supplied to the skill leave the local machine and are sent to the BytePlus Ark API.
The helper reads a user-specified local image and embeds it in the API request. This is purpose-aligned for image-to-video generation, but it means selected local files are uploaded to BytePlus.
with open(p, "rb") as f:
b64 = base64.b64encode(f.read()).decode("ascii")
return f"data:image/{mime_ext};base64,{b64}"Only provide image paths and prompts that are intended for BytePlus processing, and avoid passing sensitive local files.
A generated video can be uploaded to Feishu storage and sent to a chat if the workflow is used.
The optional guide chains the generated local video into OpenClaw's message tool for Feishu/Lark delivery, including upload to Feishu CDN. This is disclosed and user-directed, but it crosses a tool/provider boundary.
message( action="send", channel="feishu", filePath="/root/.openclaw/workspace/seedance_cgt-...mp4"
Confirm the recipient/channel and file path before sending, and do not use the Feishu workflow for sensitive videos unless that sharing is intended.
Users have less external provenance information for verifying the publisher, version history, or intended install path.
The package provenance is not linked to a source repository or homepage, and there is no install specification. The included code is visible and no remote installer is shown, so this is a provenance note rather than a direct malicious indicator.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Verify the publisher and ensure the executed helper script is the included reviewed file before granting it API-key access.