doubao-seedream-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims—generate images through Volcengine Seedream—but users should know it needs an API key, sends prompts or reference images to that service, and saves generated files locally.
Install this skill only if you trust the package source and are comfortable sending prompts and any reference images to Volcengine Seedream. Configure VOLCENGINE_API_KEY securely, avoid sensitive images unless appropriate, and use a controlled output directory for generated files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can make Seedream API calls under the user's Volcengine account, which may affect account usage or billing depending on the user's plan.
The skill needs a Volcengine API key to authenticate API requests. This is expected for the stated image-generation service, but users should notice it because the registry metadata lists no primary credential or required environment variable.
required_env_vars: - VOLCENGINE_API_KEY
Use a dedicated or scoped API key if available, keep it in an environment variable rather than code, and monitor provider usage.
Private prompts or reference images provided to the skill will be transmitted to the Seedream provider.
When the user supplies a local reference image, the file is read, base64-encoded, and sent in the JSON request to the external Volcengine API endpoint. This is purpose-aligned for image-to-image generation but is a privacy-relevant data flow.
with open(image_path, 'rb') as f:
encoded = base64.b64encode(f.read()).decode('utf-8')
...
response = requests.post(API_URL, headers=headers, json=data)Avoid using sensitive personal, confidential, or proprietary images/prompts unless the provider's data handling terms are acceptable.
Dependency versions may vary across installations, and users rely on their Python package source for integrity.
The setup instructions install Python dependencies without version pins or a lockfile. This is a normal user-directed setup step for the script, but it leaves package versions and provenance to the user's environment.
pip install requests python-dotenv
Install dependencies from a trusted package index and consider pinning versions in a requirements file before production use.
Generated files will be saved on the local filesystem, by default under the output directory or another directory the user specifies.
The skill downloads generated image URLs returned by the provider and writes them to a local output directory. This is expected for the stated purpose and appears user-directed.
os.makedirs(output_dir, exist_ok=True)
...
img_response = requests.get(url)
with open(filepath, "wb") as f:
f.write(img_response.content)Use a safe output directory and review downloaded files before sharing or reusing them.