Back to skill

Security audit

Seedance 2.0 Shot Design

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only video-prompt skill with some unsafe or overbroad documentation patterns users should handle carefully.

Install only from a source or pinned revision you trust. Do not pipe the optional Jimeng CLI installer directly into bash unless you have verified it, and do not run the Python validator unless you intend to execute local code. When using the skill, avoid uploading private likeness, voice, or copyrighted reference materials unless you have rights and consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (19)

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The README states that output language is selected automatically based on whether the user is Chinese or not, rather than by explicit user choice. Inferring nationality or language preferences and silently changing behavior can cause privacy concerns, unfair profiling, and incorrect routing of outputs, especially in multilingual or shared-account settings.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The documentation repeatedly promotes automatic language detection and output switching without offering a clear opt-in or override path. Repetition across design sections increases the chance that implementers will treat language inference as required behavior, making the privacy and user-autonomy issue systemic rather than incidental.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The README states that output language is selected automatically based on whether the user is presumed to be Chinese or not, without describing an explicit override. This creates an avoidable autonomy and preference-handling issue: users may receive output in an unintended language, and locale inference can be inaccurate or sensitive in some deployments.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The changelog repeats the same product rule of automatically choosing Chinese for Chinese users and English for others, again without mentioning any override path. Repetition in the documented behavior suggests this is an intentional design choice rather than a one-off wording issue, increasing the likelihood the forced behavior is implemented consistently.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README states the skill 'auto-activates' from a simple natural-language request, which creates ambiguous invocation boundaries. In an agent setting, broad implicit activation can cause the skill to take over unrelated conversations or apply its instructions when the user did not explicitly request this capability, increasing prompt-injection and unintended-behavior risk.

Vague Triggers

High
Confidence
96% confidence
Finding
The changelog explicitly celebrates expanded activation on 'natural, everyday user expressions,' showing the trigger surface was intentionally broadened. Overly broad trigger matching is dangerous in multi-skill or agent environments because it can hijack benign conversations, cause unrequested instruction loading, and amplify the impact of any unsafe logic contained in the skill.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Automatically choosing output language based on whether the user is 'Chinese' or 'non-Chinese' makes a behavioral decision from inferred user identity instead of explicit preference. This is a weaker security issue than code execution, but it can create privacy, profiling, and consent problems, especially if language or identity is inferred incorrectly.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The changelog confirms a design choice to infer user category and force bilingual output behavior accordingly, rather than relying on explicit user choice. In agent systems, identity- or category-based behavior can become a policy and privacy risk, and can produce incorrect or discriminatory outcomes when inference is wrong.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README says a generic request like writing a video prompt will cause the skill to activate automatically, without narrow trigger boundaries. Overly broad activation increases the chance the skill intercepts unrelated user requests and injects its own instructions or formatting unexpectedly, which can override user intent and widen the skill's operational scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Expanding triggers to everyday phrases such as generic requests to make a video or create a clip makes invocation boundaries too loose. In an agent ecosystem, this can cause unintentional routing, prompt interference, and accidental application of this skill to tasks that were not meant to use it.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Forcing output language based on inferred user nationality or locale reduces user control and can mis-handle multilingual or privacy-sensitive contexts. While not a classic security flaw, it is a policy and routing weakness that can lead to incorrect disclosure, degraded usability, or unintended personalization based on inferred attributes.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The version history reaffirms automatic bilingual output selection based on detection logic, which institutionalizes the same lack of user choice. In skill routing contexts, persistent automatic language forcing can create privacy and consent concerns around inferred user attributes and produce outputs in the wrong language.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to install a CLI by piping a remotely fetched script directly into bash, without any integrity verification, signature check, or warning. This creates a supply-chain execution risk: if the remote host, transport, or distribution path is compromised, arbitrary code will run immediately on the user's machine.

Ssd 4

Medium
Confidence
97% confidence
Finding
The feature description presents a 'copyright-safe IP avoidance' strategy as a way to prevent platform content blocks, which is effectively guidance for circumventing content policy enforcement. Even if framed as compliance, this encourages users to repackage copyrighted or restricted material to slip past moderation, increasing legal and platform-abuse risk.

Ssd 2

Medium
Confidence
96% confidence
Finding
The changelog explicitly mentions moderation workarounds for real human faces, including blurring or converting to NPR styles to get around platform restrictions. Documenting alternative representations to bypass safety review materially lowers the barrier to evading moderation controls for sensitive or restricted likeness content.

Ssd 4

Medium
Confidence
95% confidence
Finding
The README advertises a '3-stage progressive IP avoidance strategy' to prevent platform content blocking, which frames the skill as helping users work around copyright/IP enforcement mechanisms rather than merely avoid infringement. In a prompt-engineering skill, this is risky because it can facilitate generation of derivative or policy-evading content while presenting the behavior as a safety feature.

Ssd 2

Medium
Confidence
93% confidence
Finding
The changelog describes 'clear strategies' to bypass moderation on realistic human faces by blurring them or forcing NPR styling. Even if phrased as compatibility guidance, this is effectively advice for evading a safety control on a sensitive content class, which can be repurposed to generate disallowed or higher-risk person-based media.

Ssd 2

Medium
Confidence
91% confidence
Finding
The README explicitly says a template can 'bypass' a one-take generation restriction by automatically producing montage-like cuts in a single generation. This is concerning because it teaches users how to circumvent platform or product constraints instead of working within intended capabilities and safety boundaries.

Ssd 2

Medium
Confidence
88% confidence
Finding
The README promotes 'review safety' and camera-term disambiguation intended to avoid platform review false positives, and the changelog elsewhere discusses moderation-related adaptation strategies. Even if framed as reducing mistaken blocks, documentation about wording to get content past review systems can facilitate moderation evasion and make policy enforcement less effective.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.