Dark Ritual Transform Video Gen Seedance2.0
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A run may spend WeryAI credits and the API key should be treated like a secret.
The skill requires a WeryAI bearer token and can create paid generation tasks. This is expected for the stated video-generation purpose and is disclosed, but it grants account-level authority to the provider API.
`WERYAI_API_KEY` **must be set** before running `video_gen.js`; ... Each `wait` run may consume credits
Use a dedicated or limited WeryAI key if possible, keep it out of project files, and confirm the prompt/settings before running generation.
If the model/settings are not checked, the request could use an unintended WeryAI model or consume credits unexpectedly.
The local CLI can submit WeryAI jobs with caller-provided parameters, so the model restriction depends on the agent following the documented workflow rather than hard enforcement in code.
The script **does not** enforce this skill's allowed model in code: you **must** set `"model":"SEEDANCE_2_0"` for this package and show it in the confirmation table before submit
Verify the confirmation table includes `SEEDANCE_2_0`, duration, aspect ratio, resolution, audio setting, and the full prompt before approving.
WeryAI receives the submitted prompt, generation settings, and any public image URLs used for image-to-video generation.
The script sends the generation request body, including prompt and optional image URLs, to WeryAI over HTTPS with the user's API key. The destination is disclosed and purpose-aligned.
const BASE_URL = 'https://api.weryai.com'; ... Authorization: `Bearer ${apiKey}` ... body: body != null ? JSON.stringify(body) : undefinedDo not include private, confidential, or sensitive material in prompts or image URLs unless you are comfortable sending it to WeryAI.
You have less external information to verify who maintains the skill before giving it an API key.
The registry metadata does not provide an upstream source or homepage for provenance. The bundled code is present and no remote install script is shown, so this is a provenance note rather than a concrete malicious indicator.
Source: unknown; Homepage: none
Review the bundled script, use an isolated environment or separate WeryAI account for higher assurance, and avoid installing if you cannot trust the package source.