Skillv1.0.1

ClawScan security

For long videos, automatically split the video task, using the last frame of the previous video as the first frame of the current video to maintain video continuity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 10:05 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely does what it claims (calls ByteDance/Volcengine Ark APIs to generate videos) but has inconsistencies you should know about: the runtime docs and code require an ARK_API_KEY and upload local images to an external service, yet the registry metadata does not declare any required credentials or an install mechanism — this mismatch is concerning.
Guidance: Before installing: (1) be aware this skill will upload any local images you pass (converted to base64) and send them to https://ark.cn-beijing.volces.com — do not upload sensitive images unless you trust that service and have the right to transmit them; (2) the skill requires an ARK_API_KEY (the SKILL.md and seedance.py enforce this), but the registry metadata does not declare it — confirm the manifest and supply the key only if you trust the operator; (3) there is no install spec even though SKILL.md references a CLI path — confirm where seedance.py will be stored and run, and inspect seedance.py yourself (it is included) to ensure there are no unexpected behaviors; (4) if you need higher assurance, ask the publisher for source/homepage, a clear install instruction, and explicit metadata listing ARK_API_KEY as required. If those inconsistencies are resolved (metadata updated and install path clarified), the skill would be coherent for its stated purpose.

Review Dimensions

Purpose & Capability: concernThe description, SKILL.md, and seedance.py consistently target ByteDance Seedance via the Volcengine Ark API (model doubao-seedance-2-0-260128). Requiring an API key for that service is expected, but the registry metadata lists no required environment variables or primary credential — this mismatch is incoherent and should be corrected.
Instruction Scope: noteSKILL.md and seedance.py stay within the stated purpose: creating/querying/deleting video generation tasks and optionally downloading results. However, the tool will read local image files (convert to base64) and upload them to the external API, and it will download generated videos/last frames to local directories — users should be aware that local files and generated content are transmitted to/from the external service.
Install Mechanism: noteThere is no install spec (no instructions that place the CLI at the claimed path), yet SKILL.md refers to a CLI at ~/.claude/skills/seedance-2-0-video/seedance.py and the bundle includes seedance.py. Absence of an explicit install mechanism is not necessarily malicious but is an inconsistency to clarify (where will the script be placed/run?).
Credentials: concernThe code and SKILL.md require ARK_API_KEY (Bearer token) to call Volcengine APIs — that credential is proportionate to the skill's purpose. The problem is the registry metadata does not declare this required environment variable or primary credential, which is misleading and could cause unexpected behavior or credential surprises at runtime.
Persistence & Privilege: okThe skill does not request permanent/always-on presence, does not modify other skills, and has no install script that changes system-wide configuration. It performs normal network calls and file I/O for its stated purpose.