Seedance Video Generation BytePlus

The skill is designed for a legitimate purpose (AI video generation via BytePlus API) and communicates with a legitimate endpoint. However, the `seedance_byteplus.py` script's `image_to_data_url` function, used for image-to-video functionality, can read arbitrary local files (if provided a path via prompt injection) and base64 encode their content for transmission to the BytePlus API. While the code's intent is to process image files, this capability creates a local file disclosure vulnerability, as a malicious prompt could trick the agent into sending sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to the third-party API. Additionally, the `os.system` call to open downloaded videos in `cmd_wait_logic` presents a minor shell injection risk, although the filepath construction makes direct exploitation difficult. These risky capabilities, without clear malicious intent by the skill developer, classify it as suspicious.