ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance AI Video Gen

v1.0.0

使用火山引擎 Seedance 2.0 系列模型(doubao-seedance-2-0 / doubao-seedance-2-0-fast)通过方舟平台 API 生成高质量 AI 视频。支持文生视频、图生视频、视频参考、音频参考等多模态内容生成,适用于用户要求生成/制作/创建视频、文生视频、图生视频、AI 生...

0· 60·0 current·0 all-time
byCong Pendy@jancong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description match the included scripts and instructions: it submits generation tasks to the Ark/Seedance API and downloads results. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and all scripts require ARK_API_KEY (and optionally ARK_API_URL). That metadata omission is inconsistent and should be corrected.
Instruction Scope
SKILL.md and scripts only perform actions related to submitting tasks, polling status, and downloading results. They require user-provided public URLs for reference assets and instruct uploading local files externally if needed. The instructions do not ask to read unrelated files or exfiltrate other system data.
Install Mechanism
No install spec or external downloads are used; the skill is instruction-only with bundled Python scripts. No third-party package downloads or archive extraction are present in the manifest.
!
Credentials
The scripts legitimately need an API credential (ARK_API_KEY) and optionally ARK_API_URL. The manifest/registry metadata incorrectly states there are no required env vars or primary credential. That mismatch is concerning because users may not be warned that they must supply an API key. Otherwise no unrelated credentials or excessive env access are requested.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide configs. It runs as a user-invoked skill and the scripts perform only network requests to the configured Ark API and to user-supplied asset URLs.
What to consider before installing
This skill appears to implement Seedance/Ark video generation, but the package metadata fails to declare the required ARK_API_KEY (and ARK_API_URL is configurable). Before installing: 1) Treat the source as untrusted until you verify the publisher (homepage is missing and owner is unknown). 2) Do not set an API key with broad or production privileges until you confirm which Ark account will be used; prefer a scoped/test key. 3) Be aware the scripts will make outbound HTTPS requests to the configured ARK_API_URL and to any user-provided asset URLs (images/videos/audio). 4) If you need guarantees, request the maintainer to update registry metadata to list ARK_API_KEY as a required credential and provide provenance (homepage/repo). If you cannot verify the source, consider alternative, well-known integrations or inspect/execute the scripts in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk972rb2rr279sv8j3ys9eqrpvd84kmhk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments