Is jackycser/seedance-video-generation safe?

https://github.com/openclaw/skills/tree/main/skills/jackycser/seedance-video-generation

84
SAFE

The seedance-video-generation skill is a legitimate video generation tool for ByteDance's Seedance API with no prompt injection, hidden instructions, or malicious installation behavior. The primary concerns are privacy-related: all user image data and the ARK_API_KEY credential are transmitted to ByteDance/Volcengine infrastructure in Beijing, which is the intended design but represents a data-residency risk. A secondary concern is a shell injection vulnerability in the macOS video-open code path that could be exploited if the ByteDance API endpoint were compromised.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM All image data uploaded to ByteDance/Volcengine (China) servers -18

The skill converts local image files to base64 and sends them to ark.cn-beijing.volces.com for video generation. Any photo or document image provided by the user is transmitted to and processed by ByteDance cloud infrastructure in Beijing. This is the documented and intended behavior, but users with privacy or data-residency requirements should be aware.

MEDIUM ARK_API_KEY transmitted to Chinese cloud on every call -10

The get_api_key() function reads ARK_API_KEY from the environment and includes it as a Bearer token in every HTTP request to the Volcengine API. This is expected for a paid API service but means the credential is regularly sent over the network to a Chinese provider, increasing exposure surface if TLS were compromised or logging occurs server-side.

LOW Shell injection risk via os.system() with API-controlled task_id (macOS only) -18

In cmd_wait_logic(), after a successful video generation, the code calls os.system(f'open "{filepath}"') on darwin/macOS. The filepath includes task_id from the API JSON response. A malicious or compromised ByteDance API endpoint could return a task_id containing shell metacharacters (e.g. x"; ; echo ") to achieve arbitrary command execution on the user's macOS machine.

LOW Feishu platform credentials referenced in supplementary documentation -12

how_to_send_video_via_feishu_app.md documents accessing feishu.app_id and feishu.app_secret from OpenClaw's platform configuration to upload videos via Feishu Open API. While this describes legitimate platform integration, it expands the effective credential scope of the skill beyond the ARK_API_KEY declared in SKILL.md's prerequisites.

LOW Skill authored by individual developer, not official vendor -5

The _meta.json owner field is 'jackycser' (an individual) rather than an official ByteDance or OpenClaw organization account. Version history shows three releases within roughly two days. This does not indicate malice but warrants awareness that the skill has not been through a corporate security review process.

INFO Clean install with only expected GitHub network activity 0

The installation cloned from github.com/openclaw/skills.git using sparse checkout scoped to the skill subdirectory. No unexpected processes, listeners, or filesystem changes were detected. The /tmp/monorepo-clone directory was cleaned up after install.

INFO Canary file reads attributable to audit framework, not skill 0

inotify and auditd both record accesses to .env, .ssh/id_rsa, .aws/credentials, etc. at timestamps predating the git clone (audit framework init) and immediately post-install (audit framework canary check). No canary file content was modified or exfiltrated.