Skillv1.1.2

ClawScan security

Seedance 2.0 — AI Video by ByteDance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 4:27 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (video generation via Atlas Cloud) and only requests the Atlas Cloud API key; minor copy-paste inconsistencies exist but no signs of credential exfiltration or unexpected endpoints.
Guidance: This skill appears to do what it claims: it sends prompts/images to api.atlascloud.ai and downloads generated videos, and it requires only your Atlas Cloud API key. Before installation: (1) Verify you trust https://www.atlascloud.ai and that your API key is created with appropriate billing/quotas — generation may incur charges. (2) Inspect the script if you plan to run it locally; the example model IDs in the script (alibaba/wan-2.6) differ from the SKILL.md (bytedance/seedance-v1.5-pro), so confirm the correct model ID you want to use. (3) Be cautious when using the upload command — it will upload local media to Atlas Cloud (the script prompts for confirmation by default). If any additional environment variables or unusual endpoints appear in future versions, treat that as a red flag.
Findings: [no-findings] expected: Static pre-scan reported no injection signals. The script performs network calls to api.atlascloud.ai and reads ATLASCLOUD_API_KEY, which is expected for this purpose.

Purpose & Capability: noteThe name/description (Seedance by ByteDance) aligns with a video-generation skill that calls api.atlascloud.ai. The script and SKILL.md both target Atlas Cloud model endpoints and require only ATLASCLOUD_API_KEY. Minor inconsistency: commented usage in scripts/generate_video.py shows example model IDs like alibaba/wan-2.6, while SKILL.md references bytedance/seedance-v1.5-pro — likely copy/paste but worth checking that the intended model IDs are available on Atlas Cloud.
Instruction Scope: okSKILL.md and the script instruct only to send prompts, image URLs, and optionally upload local media to api.atlascloud.ai. The script reads only ATLASCLOUD_API_KEY from the environment and does not reference other system files, secrets, or unexpected remote endpoints. Uploads of local files require user confirmation by default.
Install Mechanism: okNo install spec — instruction-only plus a single Python script that uses only the standard library. Nothing is downloaded or executed from unknown remote URLs during install.
Credentials: okOnly ATLASCLOUD_API_KEY is declared and used; the script sends it in Authorization header to api.atlascloud.ai. This is proportionate for a cloud API client. The skill does not request unrelated credentials or config paths.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges. The skill does not modify other skills or system-wide settings.