ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

seedance-video

v1.0.0

Generate AI videos from text prompts or images with Seedance 2.0 on SkillBoss. Best for short ads, product demos, launch clips, and social videos.

0· 38·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (Seedance/SkillBoss video generation) matches the instructions (POST to https://api.skillboss.co/v1/run, model seedance/seedance-2.0). However, examples and agent guidance assume an environment variable SKILLBOSS_API_KEY for Authorization, while the registry metadata declares no required env vars — this mismatch is unexpected and problematic.
Instruction Scope
SKILL.md stays on-topic: it describes forming POST requests to SkillBoss, supported options, and expected outputs. It does not instruct reading unrelated local files or unusual system paths. The only scope issue is the implicit use of SKILLBOSS_API_KEY in examples and guidance despite that not being declared in metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. There are no downloads, extracted archives, or package installs to evaluate.
!
Credentials
The skill legitimately needs an API key to call SkillBoss, but the skill metadata does not declare any required environment variables. Requiring SKILLBOSS_API_KEY (shown in examples) without declaring it is an inconsistency. No unrelated credentials are requested, which is good, but the omission reduces transparency.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/automatic inclusion or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags.
What to consider before installing
This skill appears to be what it claims (a SkillBoss front-end for Seedance video generation) but the SKILL.md examples use an environment variable SKILLBOSS_API_KEY while the registry metadata lists no required env vars. Before installing or enabling: - Confirm where and how you must provide a SkillBoss API key (SKILLBOSS_API_KEY). The metadata should explicitly list this required credential; ask the publisher to fix the manifest if it's missing. - Remember generated requests and any reference images will be sent to https://api.skillboss.co — don't upload sensitive images or confidential text unless you trust SkillBoss's handling and billing. - Verify the skill's publisher/source (homepage is provided, but the repository/source is unknown). Prefer skills with a published repo or verified publisher. - Check SkillBoss pricing/billing for per-second charges before generating videos. - Because this is instruction-only (no code to audit), treat it as higher risk than a published open-source skill — request the publisher to declare required env vars and provide a public repository or additional provenance if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

automationvk972qpgjzfrddx263mgezs5nb184vd22latestvk972qpgjzfrddx263mgezs5nb184vd22toolsvk972qpgjzfrddx263mgezs5nb184vd22

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments