Byted Seedance Video Generate

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to do what it says—generate videos through Seedance/Volces APIs—but it uses an API key and sends your prompts and media URLs to that provider.

Before installing, make sure you trust the source enough to run the included Python script, configure a scoped Seedance/Ark API key, verify the API base URL, and avoid sending private prompts or media URLs unless you accept the provider processing them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

Video-generation requests may run under whichever configured provider account key is available, which can affect billing and account access.

Why it was flagged

The script uses a provider API key from the environment as a bearer token for requests.

Skill content

API_KEY = (os.getenv("ARK_API_KEY") or os.getenv("MODEL_VIDEO_API_KEY") or os.getenv("MODEL_AGENT_API_KEY")) ... "Authorization": f"Bearer {API_KEY}"

Recommendation

Use a scoped API key intended for this video service, avoid sharing broader account keys when possible, and verify the configured API base URL before use.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Any private prompt text or reference media URL you provide may be visible to or processed by the external provider.

Why it was flagged

The skill sends user prompts and supplied image/video/audio URLs in JSON requests to the external video-generation API.

Skill content

content = [{"type": "text", "text": prompt}] ... "image_url": {"url": config.first_frame} ... response = await client.post(url, headers=_get_headers(), json=body)

Recommendation

Only provide prompts and media URLs you are comfortable sending to the configured provider, and review that provider's privacy and retention terms.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

It may be harder to verify who maintains the skill and what runtime dependencies are expected.

Why it was flagged

The artifact provides limited provenance and no installation/dependency contract even though it includes executable Python code.

Skill content

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: scripts/video_generate.py

Recommendation

Review the included script before use and run it in an environment where its Python dependencies and provider configuration are controlled.