Seedance Video Generation Extension

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: turn story inputs into generated images, rendered clips, and a final video using disclosed external generation services and local video tools.

Install only if you trust the separate Seedance video skill, your FFmpeg binary, and the external provider handling your prompts. Prefer a dedicated ARK_API_KEY, review each checkpoint before confirming, and keep project outputs in a location appropriate for retained prompts, URLs, metadata, and generated videos.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation clearly instructs use of environment variables, filesystem reads/writes, shell execution, and likely network-backed generation services, yet no permissions are declared. This creates a trust and containment gap: an agent or user may invoke the skill without understanding that it can access sensitive local data, modify files, call external services, and execute system commands such as Python and FFmpeg.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal