ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

seedance-2-video-gen

v2.1.0

Seedance 2.0 AI video generation via EvoLink API. Three modes — text-to-video, image-to-video (1-2 images), reference-to-video (images + videos + audio). Aut...

5· 1.6k·4 current·5 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, required binaries (curl, jq) and the single env var EVOLINK_API_KEY all align with a remote video-generation API gateway (EvoLink) that needs network calls and an API key.
Instruction Scope
SKILL.md instructions are narrowly scoped to collecting generation parameters, checking EVOLINK_API_KEY, and running the bundled generation script while relaying progress lines. The instructions do not ask for unrelated credentials or system files.
!
Install Mechanism
Registry metadata states 'No install spec — instruction-only', but the package includes an executable installer (bin/cli.js), package.json, and a shell generation script (scripts/seedance-gen.sh). That means there is runnable code that will copy files into the user's skills directory and set executable bits — expected for an installer, but the metadata/instruction-only claim is inconsistent and warrants inspection before executing (especially via npx).
Credentials
Only EVOLINK_API_KEY is required and declared as the primary credential. No other secrets or unrelated environment variables are requested in SKILL.md or the visible code snippets.
Persistence & Privilege
The skill does not request always:true and does not appear to modify unrelated skills or system settings. The installer copies files into the OpenClaw skills directory (writes to user home), which is the expected behavior for an OpenClaw skill installer — be aware this writes files to disk.
Scan Findings in Context
[no_regex_findings] expected: Static pre-scan reported no injection signals. That doesn't guarantee safety — executable installer and a shell script are present and should be reviewed manually for unexpected endpoints or data collection.
What to consider before installing
This package largely matches its advertised purpose (EvoLink Seedance video generation) and only needs curl/jq and your EvoLink API key. However: (1) the registry lists the skill as instruction-only but the package contains an installer (bin/cli.js) and a shell script (scripts/seedance-gen.sh) — running via npx or the installer will execute code and copy files into your ~/.openclaw/skills (or another chosen path). (2) Before installing or running, open and review scripts/seedance-gen.sh and bin/cli.js to confirm they only call EvoLink endpoints (evolink.ai) and do not exfiltrate other local files or credentials. (3) If you plan to run via npx, prefer cloning the repo and inspecting files locally first or run inside a sandbox. (4) Confirm billing/usage on your EvoLink dashboard — the API key can incur charges. If you want, provide the full scripts (seedance-gen.sh) and I can scan them line-by-line for hidden endpoints or suspicious behavior.
bin/cli.js:69
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahdqarh53dy32axmbpqfavn845znw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsjq, curl
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments