ClawHub
Back to skill
v1.0.0

Seedream 图片生成

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:50 AM.

Analysis

This is a coherent Seedream image-generation skill using an expected Volcengine API key, but users should verify the missing helper script/source before running it.

GuidanceThis skill appears benign and aligned with image generation. Before installing or running it, make sure you trust the actual seedream.py helper script/package, protect your ARK_API_KEY, and only submit prompts or images that you are comfortable sending to Volcengine.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
python3 {baseDir}/scripts/seedream.py -p "一只可爱的橘猫坐在窗台上"

The instructions reference a helper script under scripts/seedream.py, but the provided manifest contains only SKILL.md and no code files. This is not evidence of malicious behavior, but the executable helper's contents are not included in the reviewed artifacts.

User impactIf a script is supplied separately or added later, this review does not establish what that script does with prompts, images, output files, or the API key.
RecommendationBefore running the referenced helper, verify that it comes from a trusted source and inspect its code or package contents.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
使用前需要设置环境变量 `ARK_API_KEY` ... python3 {baseDir}/scripts/seedream.py --api-key "your-api-key" ...

The skill requires a provider API key to access the Seedream service. This is expected for the stated purpose, but it gives the invoked code access to the user's Volcengine account quota/permissions.

User impactIf the API key is exposed or mishandled, someone could use the user's Volcengine account or consume paid quota.
RecommendationPrefer the environment variable or a secret manager over command-line arguments, use a limited-scope key if available, and rotate the key if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
基于火山引擎方舟大模型服务平台的 Seedream 图片生成 API ... 图生图 ... -i "input.png" ... 联网搜索

The skill is explicitly built around an external image-generation API and supports sending prompts and input images, with optional web search. This is purpose-aligned and disclosed, but it is still an external data flow.

User impactPrompts, referenced images, and possibly generated content may be processed by the external Volcengine service.
RecommendationAvoid submitting private or regulated images/prompts unless the provider's terms, retention, and privacy policy are acceptable for that data.