doubao-seedance-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently calls Volcengine's Seedance API to generate videos, with expected API-key and provider-data use but no artifact-backed malicious behavior.
Before installing, make sure you are comfortable providing a Volcengine API key, potential usage costs, and sending prompts or reference images to Volcengine. Also verify the filename/setup mismatch if you intend to run the included script directly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can submit Seedance generation jobs under the user's Volcengine account, which may consume quota or incur charges.
The skill uses a Volcengine bearer token to create and query video-generation tasks. This is expected for the stated API integration, but users should treat it as account authority and note that registry metadata did not list a primary credential.
API_KEY = os.getenv("VOLCENGINE_API_KEY") ... "Authorization": f"Bearer {API_KEY}"Use a dedicated or least-privileged API key, keep it out of committed files, and monitor account usage.
Prompts, reference image links, or embedded image data may be visible to the external video-generation provider.
The user's prompt and any provided image URLs/Base64 references are sent to the Volcengine API endpoint for generation. This is disclosed and purpose-aligned.
content = [{"type": "text", "text": prompt}] ... response = requests.post(API_URL, headers=headers, json=data)Avoid submitting sensitive personal, confidential, or proprietary content unless Volcengine's handling and retention policies are acceptable.