Volcengine AI MediaKit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill’s behavior matches its Volcengine media-processing purpose, but it requires cloud credentials and uploads/processes media in the user’s VOD account, which may incur charges.
Install only if you are comfortable giving the skill Volcengine VOD access and uploading selected media to that account. Prefer a dedicated VOD space and least-privilege API key, monitor billing, and avoid processing confidential media unless that cloud handling is intended.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can submit media-processing/upload actions in the configured Volcengine VOD space and may generate billable usage.
The skill requires Volcengine API credentials and is signaled as capable of paid operations. This is expected for a VOD media-processing integration, but it grants account authority.
Required env vars: VOLCENGINE_ACCESS_KEY, VOLCENGINE_SECRET_KEY, VOD_SPACE_NAME ... Capability signals: crypto; can-make-purchases
Use a dedicated least-privilege Volcengine key and VOD space, set quotas or billing alerts, and avoid installing it with broad production credentials.
Private or sensitive media supplied to the skill may be stored and processed in the user’s Volcengine VOD account, and resulting playback links may be shown in the conversation.
The documented workflow uploads local files or remote media URLs to Volcengine before processing, so user media leaves the local workspace and is handled by an external provider.
当用户提供的是以下输入之一,需要先执行上传逻辑,拿到 `Vid` 后再继续:本地文件路径 ... `http/https` 链接
Only process media that is appropriate to upload to Volcengine, verify retention/access controls for generated assets, and avoid sharing returned playback links unintentionally.
The agent may run local Python commands to upload and process the files or URLs the user provides.
The skill instructs the agent to run bundled Python tools with user-supplied media inputs. This is central to the purpose and includes a disclosed local-path restriction.
统一用 `scripts/upload_media.py`: `python <SKILL_DIR>/scripts/upload_media.py "<local_file_path_or_http_url>" [space_name]` ... 本地文件上传仅允许 workspace/、userdata/ 和 /tmp 目录下的文件
Review the file path or URL before asking the skill to process it, and keep media inputs within the intended workspace/userdata/tmp locations.