Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
seedance2-skill
v1.0.1即梦 Seedance 视频创意工作台。用户发图+文案时自主完成看图分析→文案扩写→运镜匹配→质量验证→API生成。触发词:即梦、Seedance、seedance、视频生成、视频提示词、AI视频、运镜、短剧、广告视频、视频延长、图生视频。
⭐ 0· 698·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, SKILL.md, README, and scripts/seedance.py are coherent: the skill is a video-prompt creative system that can call Volcengine/Seedance APIs. The embedded Python CLI is an appropriate client for that purpose. However, registry metadata declares no required env vars while documentation and the script both expect an ARK_API_KEY; that discrepancy is unexpected.
Instruction Scope
SKILL.md instructs the agent to analyze images, expand copy, validate camera work, and optionally call the API. Those steps stay within the stated scope. It does explicitly recommend using web_search and a local Python helper for simple preprocessing; the script will read local image/video/audio files, base64-encode them, and send them to the remote API. The instructions do not tell the agent to read unrelated system files or secrets, but they do permit uploading user media to an external service — a privacy consideration.
Install Mechanism
There is no install spec (instruction-only with an included Python script). No downloads from arbitrary URLs or archive extraction are prescribed. This is the lower-risk class for install mechanism.
Credentials
The code (scripts/seedance.py) requires an ARK_API_KEY environment variable and will exit if it is not set; README and SKILL.md also instruct users to export ARK_API_KEY. But registry metadata lists no required env vars or primary credential. This mismatch is a meaningful incoherence and could lead to surprising failures or accidental credential usage. Besides ARK_API_KEY, no other credentials are requested — which is proportionate — but the missing declaration is the problem. Also note: the script can accept a callback URL, which could be used to receive notifications or cause remote callbacks; users should consider privacy implications of uploading content to the remote API.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide configs. It does not ask for permanent agent-level privileges. Autonomous invocation is allowed (default), which is normal for skills, and is not combined here with other high-risk flags.
What to consider before installing
Before installing: (1) Be aware the included Python CLI will upload any local images/videos/audios you pass to the Volcengine Ark API (remote endpoint in the script). If those files contain sensitive content (faces, private scenes, proprietary assets), don't upload them. (2) The skill's metadata does not declare the ARK_API_KEY env var, but the script and README require it — expect to set export ARK_API_KEY yourself; treat that API key as sensitive. (3) Verify you trust the source and the remote endpoint (ark.cn-beijing.volces.com) before providing your API key. (4) If you need stricter guarantees, review the script's code locally (it is readable) and consider removing or sandboxing callbacks or transmission of files, or run the script in an isolated environment. (5) If you are the publisher or integrator, update the skill metadata to declare ARK_API_KEY as a required credential and document the privacy implications (uploads, callback URLs) to remove this inconsistency.Like a lobster shell, security has layers — review code before you run it.
latestvk97br3chhrr8365a909qp9yyrx81kkje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.