Back to skill
Skillv1.0.0
ClawScan security
SeedanceVideo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 4:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for ByteDance/Volcengine Ark Seedance video-generation REST APIs and its requested credential (ARK_API_KEY) and instructions are consistent with that purpose.
- Guidance
- This skill is an instructional recipe for calling Volcengine/Ark Seedance APIs. Before installing: ensure you trust the Ark/Volcengine service and only provide an ARK_API_KEY scoped appropriately (least privilege). Be cautious with image URLs you provide (they must be public and may expose content to the service). The generated video_url is typically time-limited—download promptly. Because the skill is allowed to be invoked by the agent, consider whether you want an automated agent to initiate API calls that may consume credits on your Ark account; if not, avoid enabling autonomous invocation or supply a key with restricted billing/usage limits.
Review Dimensions
- Purpose & Capability
- okName/description (Seedance video generation) align with the requested environment variable (ARK_API_KEY) and the SKILL.md which shows direct REST calls to Ark endpoints for text→video and image→video. There are no unrelated credentials, binaries, or install steps.
- Instruction Scope
- okSKILL.md only instructs the agent to call the Ark REST API (POST to create tasks, GET to poll status) with Authorization: Bearer $ARK_API_KEY, supply public image URLs for image-to-video, and download the returned signed video_url. It does not ask the agent to read local secrets, other env vars, shell history, or unrelated system paths. The instructions are concrete and scoped to the stated task.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes risk because nothing is written to disk or downloaded by an installer.
- Credentials
- okOnly a single env var (ARK_API_KEY) is required, which is appropriate for authenticating to Volcengine/Ark. No other tokens, keys, or unrelated credentials are requested.
- Persistence & Privilege
- okalways:false (default) and user-invocable: true. The skill does not request elevated platform privileges or permanent presence, and there is no evidence it modifies other skills or system settings.