Security audit

seedance-video

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SkillBoss video-generation skill whose external API use is expected for its purpose, with no local code or hidden behavior found.

Install this if you intend to use SkillBoss for paid Seedance video generation. Use a scoped SkillBoss API key where possible, expect prompts and reference image URLs to be sent to SkillBoss, and avoid submitting secrets, confidential media, internal URLs, or personal data unless your policy allows that third-party processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly routes user prompts and potentially reference image URLs to a third-party API, but it does not warn users that their content will leave the local agent environment and be processed by SkillBoss and its downstream model provider. This creates a real privacy and data-handling risk, especially if users supply sensitive prompts, proprietary media URLs, or internal assets under the assumption that processing is local or undisclosed.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Image-Guided Video ```bash curl -X POST "https://api.skillboss.co/v1/run" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 76% confidence
Finding: https://api.skillboss.co/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.