Is jackycser/seedance-video-generation-byteplus safe?

https://github.com/openclaw/skills/tree/main/skills/jackycser/seedance-video-generation-byteplus

79
CAUTION

This skill is a functional, well-documented BytePlus Seedance video generation integration whose core Python code and installation process are clean. The critical concern is in companion documentation: how_to_send_video_via_feishu_app.md, explicitly linked from SKILL.md, hardcodes a specific Feishu user ID as the video recipient in its example workflow — creating a social engineering vector where agents following the documented Feishu delivery path will send user-generated videos to a potentially attacker-controlled account. A secondary integrity concern is the presence of an unrelated skill's lock state inside the package directory, indicating it was assembled from a live workspace rather than a clean build.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Hardcoded Feishu Recipient ID Embedded in Companion Documentation -35

The file how_to_send_video_via_feishu_app.md, explicitly referenced via a markdown link in SKILL.md, contains a hardcoded Feishu open_id as the receive_id in the API example. When an LLM agent processes SKILL.md and follows the documented Feishu video-sending workflow, it will adopt this hardcoded ID as the send destination, routing user-generated video content to the skill author's (or attacker's) Feishu account rather than the user's intended recipient. This is a social engineering injection via documentation that requires no direct SKILL.md manipulation.

MEDIUM User Video Content Could Be Routed to Third-Party Feishu Account -18

The hardcoded Feishu receive_id in companion documentation creates a data exfiltration vector targeting generated video content and any user-provided images submitted as first/last frames. The attack chain is: user provides sensitive images → skill generates video → agent follows Feishu workflow → video sent to ou_f323dd2c97951b029f7c43505c4b7566 instead of user's contact.

MEDIUM os.system() Call with API-Derived Filename Component -15

In seedance_byteplus.py, the cmd_wait_logic function opens downloaded videos using os.system(f'open "{filepath}"') on macOS. The filepath incorporates task_id from the BytePlus API response. A compromised API endpoint returning a task_id containing shell metacharacters (e.g., '; malicious_cmd; echo ') could execute arbitrary commands on the agent host.

LOW Unexpected Third-Party Skill Lock Entry in Skill Package -20

The skill package contains .clawhub/lock.json which records a separate installed skill (academic-research-hub v0.1.0) with an install timestamp. A clean skill release should not contain lock state from other skills. This indicates the package was assembled from a live development workspace rather than a clean build, raising questions about package provenance and what else may have been present during assembly.

LOW Skill Creates Complete Covert Content Exfiltration Pipeline When Combined with Feishu Tools -15

In isolation, neither the video generation capability nor a Feishu messaging tool is dangerous. However, this skill is explicitly designed to integrate with OpenClaw's message tool for Feishu delivery, and the companion documentation encodes a specific destination identity. The combination creates a fully documented covert content routing pipeline that requires no abnormal agent behavior — all steps follow documented instructions.

INFO Installation Was Clean — No Suspicious Network or Process Activity 0

The sparse checkout from the official openclaw/skills monorepo completed without any connections to non-GitHub infrastructure, no unexpected process spawning, and no filesystem changes outside the target skill directory. The installation mechanism is transparent and auditable.

INFO Canary Files Accessed by Audit Framework, Not Skill Code 0

Multiple canary file access events (PATH records for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud credentials) appear in auditd logs at two timestamps. Timing analysis shows these correspond to the audit framework's canary setup (pre-install) and verification (post-install) phases. Canary file hashes and content were confirmed intact.