Skillv1.0.0

ClawScan security

Seedance Video Generation Extension · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 25, 2026, 8:47 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (script → storyboard → images → render), but the package metadata omits required credentials and the runtime instructions/code perform network calls and subprocess execution that the metadata doesn't declare — this mismatch warrants caution.
Guidance: What to check before installing/use: - Metadata mismatch: the registry entry lists no required env vars, but SKILL.md and scripts require ARK_API_KEY (Seedream) and expect seedance.py from a separate skill. Treat the package as incomplete until the registry metadata is corrected. - Credential scope: only provide an ARK_API_KEY that is limited in scope (image-generation only) and rotatable. Do not reuse high-privilege or unrelated credentials. - External endpoint: image requests go to https://ark.cn-beijing.volces.com/api/v3/images/generations. Verify this endpoint and the operator before sending any private prompts or data. - Subprocess and downloads: scripts call seedance.py and run/parse its JSON output, and download URLs returned by remote services. Run in a sandbox or with least-privilege access to the filesystem, and review seedance-video-generation's source (seedance.py) before granting runtime access. - Audit artifacts: the workflow writes checkpoint-*.json and output videos/images under the project directory; ensure project paths used are intended and do not point to sensitive directories. - If you need higher assurance: ask the publisher to (1) update registry metadata to declare ARK_API_KEY and any other env vars, (2) provide a homepage/source repository for review, and (3) document the external API operator and expected token permissions.

Review Dimensions

Purpose & Capability: concernThe skill's name and description (video orchestration using Seedream/Seedance) match the included scripts: prepare, image generation, orchestration, and concatenation. However, registry metadata lists no required environment variables or credentials while SKILL.md and the code clearly require ARK_API_KEY and an installed seedance-video-generation (seedance.py). That metadata omission is an incoherence: the skill will not function without an external API key and a peer skill/script.
Instruction Scope: concernSKILL.md directs the agent to run local Python scripts that spawn subprocesses (calls to seedream_image.py and seedance.py via python3) and to call an external image API. The scripts also download video/image URLs returned by remote services (urllib.request.urlretrieve). The instructions/procedures access environment variables (ARK_API_KEY, SEEDANCE_SCRIPT) and read/write checkpoint and project files. Accessing these env vars and performing network I/O is consistent with the functionality, but the SKILL.md and registry metadata are inconsistent about required secrets and this increases the risk surface.
Install Mechanism: okThis is an instruction-only skill with no install spec; all code is included as scripts. No remote install/downloads or archive extractions are performed by an installer step. Risk from install mechanism is low.
Credentials: concernThe code requires ARK_API_KEY (used by seedream_image.py) and optionally honors SEEDANCE_SCRIPT/SEEDANCE env hints, but the skill metadata declared no required environment variables or primary credential. ARK_API_KEY is a sensitive credential that grants an external image-generation API access; requesting it is proportionate to the stated purpose but the metadata omission is a red flag. Users should confirm the intended credential and its required scope before supplying it.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or system-wide settings. It writes project-local checkpoint and artifact files, which is expected behavior for a staged workflow.