ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

For long videos, automatically split the video task, using the last frame of the previous video as the first frame of the current video to maintain video continuity

v1.0.1

Generate AI videos using ByteDance Seedance 2.0. Use when the user wants to: (1) generate videos from text prompts, (2) generate videos from images (first fr...

0· 41·0 current·0 all-time
by@liusaikang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description, SKILL.md, and seedance.py consistently target ByteDance Seedance via the Volcengine Ark API (model doubao-seedance-2-0-260128). Requiring an API key for that service is expected, but the registry metadata lists no required environment variables or primary credential — this mismatch is incoherent and should be corrected.
Instruction Scope
SKILL.md and seedance.py stay within the stated purpose: creating/querying/deleting video generation tasks and optionally downloading results. However, the tool will read local image files (convert to base64) and upload them to the external API, and it will download generated videos/last frames to local directories — users should be aware that local files and generated content are transmitted to/from the external service.
Install Mechanism
There is no install spec (no instructions that place the CLI at the claimed path), yet SKILL.md refers to a CLI at ~/.claude/skills/seedance-2-0-video/seedance.py and the bundle includes seedance.py. Absence of an explicit install mechanism is not necessarily malicious but is an inconsistency to clarify (where will the script be placed/run?).
!
Credentials
The code and SKILL.md require ARK_API_KEY (Bearer token) to call Volcengine APIs — that credential is proportionate to the skill's purpose. The problem is the registry metadata does not declare this required environment variable or primary credential, which is misleading and could cause unexpected behavior or credential surprises at runtime.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills, and has no install script that changes system-wide configuration. It performs normal network calls and file I/O for its stated purpose.
What to consider before installing
Before installing: (1) be aware this skill will upload any local images you pass (converted to base64) and send them to https://ark.cn-beijing.volces.com — do not upload sensitive images unless you trust that service and have the right to transmit them; (2) the skill requires an ARK_API_KEY (the SKILL.md and seedance.py enforce this), but the registry metadata does not declare it — confirm the manifest and supply the key only if you trust the operator; (3) there is no install spec even though SKILL.md references a CLI path — confirm where seedance.py will be stored and run, and inspect seedance.py yourself (it is included) to ensure there are no unexpected behaviors; (4) if you need higher assurance, ask the publisher for source/homepage, a clear install instruction, and explicit metadata listing ARK_API_KEY as required. If those inconsistencies are resolved (metadata updated and install path clarified), the skill would be coherent for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk970avms663rt5xb3bz0sprdcd84t1w6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments