ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance 2.0 Shot Design

v1.8.1

Professional-grade virtual film director and prompt engineer for Seedance 2.0 (即梦). Transforms vague ideas into cinematic, production-ready video prompts wit...

2· 408·1 current·1 all-time
by@woodfantasy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Seedance shot design) matches the repository contents: extensive references, templates, and a prompt validation script. The included Python validator and many reference docs are coherent with a quality-control workflow for producing video prompts.
!
Instruction Scope
SKILL.md explicitly instructs the agent to load local knowledge-base files (cinematography, quality anchors, etc.) and extract parameters — this is reasonable. However the documentation contains mixed/contradictory statements about validation: some places say the agent should 'execute the Python validation script' as part of the 5-step flow, while other places (v1.8.1 notes) say the agent will not execute code and uses native LLM checks instead. That inconsistency affects runtime behavior and risk: if the agent executes local scripts, that increases disk/exec scope; if not, the Python script is purely a developer tool. No instructions request unrelated secrets, system paths, or external endpoints in SKILL.md.
Install Mechanism
There is no automated install spec in the registry. README examples recommend git clone from GitHub (a well-known host). No downloads from obscure URLs or extract/install steps were found. Presence of local script files is the only notable install-time artifact.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That aligns with the stated purpose (prompt engineering / reference reading).
Persistence & Privilege
always:false and no special OS restrictions — the skill does not request elevated persistence. However the release notes describe aggressive trigger-word expansion (v1.7.2) to increase automatic activation coverage; combined with normal autonomous invocation this may increase chances the agent will auto-activate in casual conversations. This is a behavioral risk (unwanted activation), not a credential escalation.
What to consider before installing
What to check before installing: - Review scripts/validate_prompt.py yourself (or have it reviewed) to confirm it contains no network calls, subprocess.exec usage, or unexpected file-system writes; if the script is run by the agent it increases risk. The SKILL README is inconsistent about whether the agent executes that script—clarify your agent runtime's behavior (does it permit local code execution?) before trusting automatic validation. - If you are concerned about accidental activation, note the skill's changelog says trigger phrases were greatly expanded; consider disabling autonomous invocation or restricting activation/triggers in your agent settings. - Because the skill reads local reference files, verify those files do not include secrets or references to external endpoints. The repository appears to use only documentation and templates, which is normal for this purpose. - If you want to be extra cautious: run the Python validator locally on sample prompts to inspect its behavior and outputs; if the agent environment forbids code execution, ensure the SKILL.md expects LLM-native validation rather than code execution. If you want, I can scan the validate_prompt.py file for network calls, subprocess usage, file writes, or obfuscated code and summarise what it does.

Like a lobster shell, security has layers — review code before you run it.

Seedance 2.0vk970tjyb9099e4b22nhs404dzx83b2hsai-videovk9760j3erhdt7av9hzy30khmns836gm5cinematographyvk9760j3erhdt7av9hzy30khmns836gm5jimengvk9760j3erhdt7av9hzy30khmns836gm5latestvk977m1jgxwps7n72fcamxwbqcn84cqgbpromptvk9752bts948fccra613ghat8qh839zsgprompt-engineeringvk9760j3erhdt7av9hzy30khmns836gm5seedancevk9752bts948fccra613ghat8qh839zsgseedance2.0vk978fmpph58kk4hdpj6y8z8v8n83ty2dvideovk9760j3erhdt7av9hzy30khmns836gm5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments