Seedance Video Generation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted download path could cause unintended local shell command execution when the generated video is downloaded.
After a successful download, the tool automatically invokes a shell command built from the download path. Because the download directory can be user-supplied, shell metacharacters in the path could be interpreted on macOS.
if sys.platform == "darwin":
os.system(f'open "{filepath}"')Replace os.system with a non-shell call such as subprocess.run(["open", str(filepath)]) or require explicit user confirmation before opening downloaded files.
If followed, generated videos may be uploaded to Feishu CDN and sent into a chat using configured Feishu app authority, potentially to an unclear recipient.
The bundled guide instructs sending generated videos through Feishu using OpenClaw Feishu app credentials. This external chat-upload capability is not part of the skill's stated description or declared credential/capability metadata.
message( action="send", channel="feishu", filePath="/root/.openclaw/workspace/seedance_cgt-...mp4", message="视频说明文字" ) ... 使用配置在 OpenClaw 中的 `feishu.app_id` 和 `feishu.app_secret`。
Treat Feishu sending as a separate, explicit action: confirm the destination chat/recipient, file path, and user intent before uploading or sending any video.
The skill needs access to a Volcengine Ark API key to create and manage video-generation tasks.
The tool requires an ARK_API_KEY and sends it as a bearer token to the Volcengine Ark API. This is expected for the stated Seedance integration, but the registry metadata says no required env vars or primary credential.
key = os.environ.get("ARK_API_KEY")
...
"Authorization": f"Bearer {api_key}"Use a scoped API key if available, keep it out of shared logs, and ensure the metadata accurately declares ARK_API_KEY as a required credential.
Prompts and selected images may be sent to Volcengine for video generation.
When the user supplies a local image, the tool base64-encodes it and submits it to the external Seedance/Volcengine API as part of the generation request. This is purpose-aligned but involves sending selected local content to a provider.
with open(p, "rb") as f:
b64 = base64.b64encode(f.read()).decode("ascii")
...
result = api_request("POST", BASE_URL, body)Only provide images and prompts you are comfortable sending to the Seedance/Volcengine service.