ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Seedance Video Generate

v1.0.0

Generate videos using Seedance models. Invoke when user wants to create videos from text prompts, images, or reference materials.

0· 68·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Seedance video generation) match the implementation: the script builds generation tasks and polls a remote API. However, the registry metadata claims no required environment variables while both SKILL.md and the script expect an API key (ARK_API_KEY / MODEL_VIDEO_API_KEY / MODEL_AGENT_API_KEY) and optional API base/model name env vars — this is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to provide API keys and to call/run scripts that submit prompts and reference media URLs to a remote service. The instructions require the agent to return both video URLs and a local path/embed snippet. The script itself only interacts with the remote API and polls task status; it will send provided media URLs and prompts to the remote service (expected for this purpose). SKILL.md references a concrete local path for returned files which the script does not obviously create, so the instruction and implementation are not perfectly aligned.
Install Mechanism
There is no install spec (instruction-only + bundled Python script). That minimizes install-time risk, but the script imports httpx (a non-standard package) and assumes a Python runtime; the skill does not declare or install that dependency. The lack of an explicit dependency/install step is a mismatch you should plan for.
!
Credentials
The script legitimately needs an API key for the remote video-generation service; that is proportional. But registry metadata lists no required env vars while the SKILL.md and code require API keys. Additionally the code defaults API_BASE to an undocumented host (https://ark.cn-beijing.volces.com/api/v3) and accepts ARK_BASE_URL though SKILL.md does not document ARK_BASE_URL; using an unknown default endpoint increases risk and should be validated.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs on demand and only needs outbound network access to the configured API.
What to consider before installing
Before installing, verify the remote API and credential expectations: SKILL.md and the Python script require an API key (ARK_API_KEY or MODEL_VIDEO_API_KEY or MODEL_AGENT_API_KEY) even though the registry metadata lists none — do not supply high-privilege or unrelated credentials. Confirm the default API endpoint (https://ark.cn-beijing.volces.com) is a trusted Seedance/Doubao host for your use; if not, set MODEL_VIDEO_API_BASE to a known endpoint. Ensure your runtime can install httpx or provide it in the environment. Understand that any prompts and reference media URLs you provide will be transmitted to the remote service, so avoid sending sensitive content. If you need higher confidence, ask the publisher for provenance (homepage, official docs, or signed release) or run the script in an isolated environment and inspect network traffic to confirm where data is sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aezkj529ankecnjw3dgnwy583w4w3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments