Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seedance 2.0 Video Gen
v1.0.2Seedance 2.0 AI 视频生成技能。根据用户描述(文字/图片/视频/音频), 自动生成 Seedance 2.0 API 调用参数,支持文生视频、图生视频、参考视频三种模式。 支持 @素材名 语法控制角色、镜头、动作、声音。 触发词:生成视频、制作视频、AI视频、图生视频、文生视频、视频生成
⭐ 0· 35·0 current·0 all-time
byxiaoke321@xk103295870-alt·duplicate of @xk103295870-alt/seedance2-video-gen (1.0.1)·canonical: @xk103295870-alt/seedance2-anna
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and SKILL.md consistently describe a video-generation helper that builds prompts and produces EvoLink/Seedance API call parameters — that capability aligns with the declared models and API endpoints. However, the registry metadata lists no required environment variables while the SKILL.md explicitly requires an API key (SEEDANCE_API_KEY), which is an inconsistency between what the skill says it needs and what the registry declares.
Instruction Scope
The runtime instructions are scoped to constructing prompts/JSON and showing curl/fetch/Python examples for POSTing to https://api.evolink.ai/v1/videos/generations and polling tasks. The instructions do not direct reading unrelated system files or exfiltrating data beyond calls to the third‑party API. They do reference using an Authorization header with $SEEDANCE_API_KEY (not declared in registry).
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk and no packages are installed. That is the lowest-risk install mechanism.
Credentials
The SKILL.md requires an API key (SEEDANCE_API_KEY) for EvoLink/Seedance, which is appropriate for a remote video-generation service. But the registry metadata lists zero required env vars and no primary credential — the omission is a mismatch that can obscure the fact the skill will attempt to use an external secret. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always: true and is user-invocable; it does not attempt to modify other skills or agent-wide config. Autonomous invocation is allowed by default but not combined with other high privileges here.
What to consider before installing
This skill appears to do what it claims (prepare parameters for Seedance/EvoLink video generation) and uses a single API key. Before installing: 1) Confirm the skill will need SEEDANCE_API_KEY (the SKILL.md requires it) and update registry settings or only provide the key when you intend to call the external API. 2) Verify the service endpoints and vendor (evolink.ai / seedance2api.app) independently — the skill has no homepage or source link in the registry. 3) Be cautious uploading sensitive images/audio/video: assets will be sent to a third‑party API and generated video links expire in 24h. 4) Prefer creating an API key with minimal permissions and monitor usage/quotas. 5) If you need higher assurance, ask the publisher for the source repository or a signed homepage and confirm the registry metadata is corrected to declare required env vars.Like a lobster shell, security has layers — review code before you run it.
latestvk9780ndknbvqbrn3k8c508ayr1847qsb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.