Seedance Prompt Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-writing guide for Seedance videos with no code execution or credential access; the main issue is overly broad activation wording.

Safe to install as a Seedance prompt helper. Be aware it may activate on generic Chinese requests like “帮我写提示词,” and verify any referenced third-party Seedance API or platform separately before uploading private media or prompts there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes several broad, everyday Chinese phrases such as '帮我写提示词' and '制作提示词' that can plausibly appear in many unrelated conversations. This can cause unintended skill activation, leading to prompt hijacking of normal user interactions or interference with other skills, even though the skill itself does not perform API calls or privileged actions.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The output format hardcodes '完整中文 Prompt' while also requiring an English prompt in the API parameter block, without offering user language choice. This is not a direct security flaw, but it can cause usability and instruction-integrity issues by overriding user preferences or creating confusion about which language should be authoritative, which in turn may increase error-prone downstream use.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal