ClawHub

Fantasy Transform Video Gen Seedance2.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeryAI video-generation integration, but it uses a paid API key and sends prompts or image URLs to WeryAI, so users should review those details before use.

Install only if you trust the publisher and WeryAI integration. Use a revocable or limited API key if possible, verify the confirmation table shows `SEEDANCE_2_0`, and avoid submitting confidential prompts or image URLs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

If used with your WeryAI key, the skill can create paid generation tasks on your account.

Why it was flagged

The skill requires a provider credential and can spend account credits, which is expected for video generation but important for the user to authorize deliberately.

Skill content
`WERYAI_API_KEY` must be set before running `video_gen.js` ... Each `wait` run may consume credits; re-run creates new paid tasks.
Recommendation

Use a key/account you trust for this purpose, confirm each generation request, and avoid unnecessary re-runs.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A mistaken model parameter could submit a different WeryAI model or create an unintended paid task.

Why it was flagged

The bundled CLI can submit requests with whatever model parameter it is given, so the Seedance-only restriction depends on the agent following the skill instructions and user confirmation.

Skill content
The script does not enforce this skill's allowed model in code: you must set `"model":"SEEDANCE_2_0"` ... show it in the confirmation table before submit.
Recommendation

Check the confirmation table before approving and verify that the model is exactly `SEEDANCE_2_0`.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Text prompts and referenced images may be processed by WeryAI, so sensitive content should not be included unless you are comfortable sharing it with that provider.

Why it was flagged

Generation requires sending the prompt and any public image URLs to WeryAI's external API, which is disclosed and aligned with the skill purpose.

Skill content
Video tasks: `https://api.weryai.com` ... `prompt` ... `image` | Public **https** URL ... `images` | Array of public **https** URLs
Recommendation

Avoid private or confidential prompts/images, and review WeryAI's terms and data handling before use.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

You have less external context for deciding whether to trust the publisher and bundled script.

Why it was flagged

The registry information does not identify an upstream source or homepage, which is a provenance gap for code that uses a provider API key.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the included script before installing and prefer a restricted or revocable API key.