Seedream 图片生成
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Seedream image-generation skill using an expected Volcengine API key, but users should verify the missing helper script/source before running it.
This skill appears benign and aligned with image generation. Before installing or running it, make sure you trust the actual seedream.py helper script/package, protect your ARK_API_KEY, and only submit prompts or images that you are comfortable sending to Volcengine.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed or mishandled, someone could use the user's Volcengine account or consume paid quota.
The skill requires a provider API key to access the Seedream service. This is expected for the stated purpose, but it gives the invoked code access to the user's Volcengine account quota/permissions.
使用前需要设置环境变量 `ARK_API_KEY` ... python3 {baseDir}/scripts/seedream.py --api-key "your-api-key" ...Prefer the environment variable or a secret manager over command-line arguments, use a limited-scope key if available, and rotate the key if it may have been exposed.
Prompts, referenced images, and possibly generated content may be processed by the external Volcengine service.
The skill is explicitly built around an external image-generation API and supports sending prompts and input images, with optional web search. This is purpose-aligned and disclosed, but it is still an external data flow.
基于火山引擎方舟大模型服务平台的 Seedream 图片生成 API ... 图生图 ... -i "input.png" ... 联网搜索
Avoid submitting private or regulated images/prompts unless the provider's terms, retention, and privacy policy are acceptable for that data.
If a script is supplied separately or added later, this review does not establish what that script does with prompts, images, output files, or the API key.
The instructions reference a helper script under scripts/seedream.py, but the provided manifest contains only SKILL.md and no code files. This is not evidence of malicious behavior, but the executable helper's contents are not included in the reviewed artifacts.
python3 {baseDir}/scripts/seedream.py -p "一只可爱的橘猫坐在窗台上"Before running the referenced helper, verify that it comes from a trusted source and inspect its code or package contents.