Volcengine VeADK Skills
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent VeADK agent code generator/converter, with the main security-relevant behavior being expected local file creation for generated code.
Before installing, expect this skill to generate VeADK Agent code and save it locally. Review the generated code, output paths, and any included tools—especially code-execution tools—before running the generated agent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may create or overwrite local files when saving generated VeADK agent code.
The helper writes supplied content to the supplied path. This is expected for saving generated agent code, but users should ensure the path is intended because existing files can be overwritten.
parser.add_argument("--path", type=str, required=True, help="Path to save the file") ... with open(file_path, "w", encoding="utf-8") as f:Review the output path before allowing the save step, and keep generated files inside a project directory.
If the generated agent includes this tool, running that generated agent could execute Python code in the configured sandbox environment.
The reference material tells the generator how to include a Python code-execution sandbox tool in generated VeADK agents. This is purpose-aligned for converting workflows with code execution, but generated agents should be reviewed before use.
代码沙箱执行(用来执行 Python 代码):`from veadk.tools.builtin_tools.run_code import run_code`
Inspect generated agent code and only enable code-execution tools when the user explicitly needs them.