Byted Byteplus Vod Video Enhancement

AdvisoryAudited by Static analysis on May 8, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

Selected local files or URLs may be copied into BytePlus VOD storage and processed by BytePlus services.

Why it was flagged

The skill intentionally performs remote uploads and starts cloud processing jobs. That is coherent with the VOD purpose, but it is a high-impact action on user media and the BytePlus account.

Skill content

Upload pipeline (local file): ApplyUploadInfo  returns TOS upload address + SessionKey ... PUT file to TOS ... CommitUploadInfo ... Quality restoration pipeline: StartExecution/enhanceVideo

Recommendation

Use it only for media you intend to upload/process, and review the file path, URL, VOD space, and enhancement settings before running commands.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Anyone who can run the skill with these credentials can create uploads and restoration jobs in the configured VOD space.

Why it was flagged

The skill requires BytePlus account credentials and a VOD space to authenticate API calls. This is expected for the integration, but grants the scripts account authority for upload and processing actions.

Skill content

BYTEPLUS_ACCESSKEY  BytePlus Access Key ... BYTEPLUS_SECRETKEY  BytePlus Secret Key ... VOD_SPACE_NAME  VOD space name

Recommendation

Use a dedicated least-privilege key and VOD space where possible, keep .env files private, and rotate credentials if they may have been exposed.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Your environment may install or use versions of these packages that were not pinned by the skill artifact.

Why it was flagged

The runnable scripts depend on external Python packages with lower-bound version constraints and no lockfile or install spec shown. This is common for Python integrations but affects dependency provenance and reproducibility.

Skill content

dependencies = [
    "requests>=2.31.0",
    "python-dotenv>=1.0.0",
]

Recommendation

Install dependencies from trusted package sources and consider pinning/locking versions in controlled environments.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Media references or playable URLs could be exposed if copied into unrelated chats, logs, or untrusted downstream skills.

Why it was flagged

The skill encourages passing returned media references to downstream skills. This is part of the intended workflow, but the references identify uploaded media and should only be shared with trusted follow-up tools.

Skill content

`Source`: a `vid://`-formatted reference that can be passed directly to follow-up skills such as `byted-mediakit`. The host agent should save the `Source` field for use in subsequent processing steps.

Recommendation

Keep returned Vid, directurl, and PlayURL values within the intended workflow and avoid sharing them with tools that do not need access.