Skillv1.0.0

ClawScan security

doubao-seedance-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 9:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment access are consistent with its stated purpose of calling the Volcengine (Seedance) video-generation API.
Guidance: This skill appears to do exactly what it says: call the Volcengine (Seedance) video-generation API and save the returned video locally. Before installing, ensure you: 1) are comfortable providing VOLCENGINE_API_KEY to the agent (the key is sent to the Seedance API); 2) run the skill in an environment that has the Python dependencies (requests and python-dotenv) or install them yourself; 3) understand that generated videos will be downloaded and written to the output directory; and 4) verify the API endpoint/domain (ark.cn-beijing.volces.com) matches the official service you intend to use. If you need stronger guarantees, request the skill author to include an explicit install spec and a dependency list, or to use a vetted client library.

Purpose & Capability: okName/description state the skill calls Seedance video generation. The code and SKILL.md request only a VOLCENGINE_API_KEY and call the expected API endpoints to create tasks, poll status, and download resulting videos — all proportional to the stated purpose.
Instruction Scope: okSKILL.md directs the agent to call the provided Python script with prompt and parameters; the script only performs network calls to the Seedance endpoints, polls task status, and optionally downloads the produced video to a local output directory. It does not read unrelated files or access other environment variables or endpoints.
Install Mechanism: noteThis is instruction-only (no install spec). The included Python file depends on third-party packages (requests, python-dotenv) but the skill does not provide an install step or declare those dependencies; the runtime environment must already have them available. No remote download/install of arbitrary code is performed.
Credentials: okOnly VOLCENGINE_API_KEY is used (declared in SKILL.md and .env). That single credential is appropriate and expected for calling the Seedance API; no unrelated credentials or config paths are requested.
Persistence & Privilege: okSkill is not set to always: true and is user-invocable. It does not modify other skills or system-wide agent settings. It writes generated video files to a local output directory (expected behavior).