Is evolinkai/seedance-2-video-gen safe?

https://github.com/openclaw/skills/tree/main/skills/evolinkai/seedance-2-video-gen

78
CAUTION

The seedance-2-video-gen skill is a video generation wrapper for the EvoLink/ByteDance Seedance API with clean installation behavior and a reasonably secure shell script implementation using jq for safe JSON construction. Its primary security concern is a deliberate agent-level instruction to suppress all script output from users, creating a systematic blindspot that would conceal malicious script behavior — a pattern particularly risky because it is architecturally intentional and applies to all future script updates. The skill also transmits all user creative content to a third-party commercial API without explicit data handling disclosures.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Script Output Suppression Instruction Creates Systematic User Blindspot -25

SKILL.md Step 4 explicitly instructs the hosting agent to never show script output to the user, only report the final result. While the stated reason is UX cleanliness (hiding polling status lines), this architectural decision means any malicious additions to seedance-gen.sh — credential reads, file listings, internal network probes — would be systematically hidden from the user by the agent itself following the skill's instructions. The suppression applies to all script stdout, not just polling lines.

MEDIUM Executable Shell Script Invoked with User-Controlled Input -28

The skill executes scripts/seedance-gen.sh as a subprocess with the user's video prompt as the first positional argument and other parameters derived from user responses. The current implementation safely constructs API payloads using jq --arg (preventing shell injection), but the attack surface exists: future skill updates could modify the script without changing SKILL.md, and the output suppression instruction would hide any such changes from users. The script is also world-readable at install with mode 0100664.

MEDIUM Third-Party API Key Collection with Full Content Transmission -20

The skill's onboarding flow explicitly solicits signup at evolink.ai and collection of EVOLINK_API_KEY. All user video prompts and reference image URLs are then transmitted to api.evolink.ai. Users receive no disclosure about evolink.ai data retention, content scanning, or third-party sharing. The API key itself is passed via Authorization header in every request, creating credential exposure if the API endpoint were compromised or changed.

MEDIUM Output Suppression Plus Shell Execution Creates Covert Operation Pattern -15

The combination of agent-level output suppression and shell script execution is a known high-risk pattern in skill security: it provides a ready-made mechanism for hiding arbitrary operations. If this skill is installed alongside other skills that can read files or enumerate credentials, the suppression instruction establishes a protocol for the agent to execute and hide results. The pattern is more concerning because it is architecturally intentional, not incidental.

LOW User Creative Content Transmitted to Third-Party Service by Design -20

All video generation prompts (potentially containing sensitive or proprietary descriptions) and reference image URLs are sent to api.evolink.ai in cleartext JSON. This is the documented purpose of the skill, but represents an implicit user data agreement with a third-party service that may not be visible to the deploying organization's security or compliance teams.

LOW Installation Produced Only Expected Network Traffic -10

The git clone during installation connected only to GitHub (140.82.121.4:443) as an external endpoint. The two pre-existing connections to Canonical/Ubuntu servers (185.125.188.57:443, 185.125.188.59:443) were established before the clone began and are system-level connections unrelated to the skill. No DNS queries to unexpected domains were observed during install.

INFO Canary File Reads Attributable to Monitoring Infrastructure Lifecycle -5

Inotifywait and auditd PATH records show opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json. Timestamp analysis places these reads at 1771927548 (pre-git-clone baseline phase) and 1771927573 (post-install integrity check phase), consistent with oathe's canary verification lifecycle. No correlated network egress was observed. The canary integrity monitor confirms all files unmodified.