ClawHub
Back to skill
v0.1.1

Doubao Image Video Skill V2

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:17 AM.

Analysis

The skill mostly matches its Doubao image/video generation purpose, but its troubleshooting guidance could cause users to reveal their ARK API key.

GuidanceReview this skill before installing. It appears to be a straightforward Doubao/Volcengine media-generation wrapper, but do not share raw `ARK_API_KEY` output in bug reports, consider using a dedicated API key, and avoid sending confidential prompts or private image URLs unless you trust the provider handling.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
sudo apt-get install curl jq ... chmod +x doubao.sh doubao_skill.sh examples.sh

The documented setup asks the user to install local dependencies and make scripts executable; this is normal for a Bash skill, but users should recognize it as manual local setup.

User impactInstalling dependencies or changing executable permissions affects the local environment, though the commands are visible and purpose-aligned.
RecommendationInstall curl and jq only from trusted package managers and review scripts before making them executable.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
README.md
如遇到问题,请提供以下信息: ... 4. 环境变量:`env | grep ARK_API_KEY`

This support/debugging instruction can print and disclose the user's real ARK API key in an issue report or support message.

User impactAnyone who receives that output could use the user's Volcengine ARK API key, potentially causing unauthorized usage or charges.
RecommendationDo not paste raw ARK_API_KEY values into reports. The documentation should request only redacted output, such as whether the variable is set or the last four characters, and users should rotate the key if it was shared.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/doubao.sh
-H "Authorization: Bearer ${ARK_API_KEY}"

The script uses the ARK_API_KEY as a bearer credential for Volcengine API calls, which is expected for this service integration but gives the skill delegated account authority.

User impactUsing the skill can spend or consume resources on the configured Volcengine ARK account.
RecommendationUse a dedicated, least-privileged API key if available, monitor usage, and avoid storing or sharing the key in logs or public files.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/doubao.sh
BASE_URL="https://ark.cn-beijing.volces.com/api/v3" ... curl ... -d "$payload"

Prompts, image URLs, and generation requests are sent to the Volcengine ARK API endpoint; this is disclosed and necessary for the skill's stated purpose.

User impactText prompts and referenced image URLs may leave the local environment and be processed by the external provider.
RecommendationAvoid sending confidential prompts or private image URLs unless the provider account and data-handling terms are acceptable.