Skill Trust Decision
seedance-creator
Legitimate AI video generation skill with concerning remote script execution pattern for CLI installation, though the target domain appears to be ByteDance's official platform.
Most direct threat evidence
Critical Dangerous Command
curl -fsSL https://jimeng.jianying.com/cli | bash Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Remote script execution via curl|bash +20
SKILL.md line 60 contains 'curl -fsSL https://jimeng.jianying.com/cli | bash' which executes remote code without integrity verification
No script transparency +10
Skill contains only documentation; actual behavior depends on opaque dreamina CLI binary
Legitimate use case and documentation +-10
Skill is well-documented with clear purpose (AI video generation) and declared file access scope
Official domain mitigates risk +-5
jimeng.jianying.com is ByteDance's official domain for 即梦 platform
Most important evidence
Medium
Remote script execution via curl|bash
The installation command 'curl -fsSL https://jimeng.jianying.com/cli | bash' executes arbitrary remote code. While the domain appears legitimate (ByteDance's 即梦 platform), this pattern lacks integrity verification.
SKILL.md:60 Consider specifying a version and providing SHA256 checksum, or recommend manual download and verification.
Low
Opaque binary execution
The skill executes 'dreamina' CLI binary whose behavior cannot be audited from the skill files. All actual functionality (API calls, file processing) happens in the binary.
SKILL.md:1 Acceptable for CLI tool wrappers, but users should verify the dreamina binary source independently.
Low
File upload to external service
image2image and image2video commands upload user-provided local files to the 即梦 platform.
SKILL.md:93 Documentation includes warnings about sensitive content. Reasonable given the tool's purpose.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
SKILL.md:36 '此命令会上传本地图片到即梦平台' Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:26-60 CLI commands for dreamina execution Network Pass
Declared READ
→ Inferred READ
SKILL.md:60 curl download + API calls to jimeng.jianying.com Environment Pass
Declared NONE
→ Inferred NONE
No environment variable access detected credential Pass
Declared NONE
→ Inferred NONE
SKILL.md:46 states OAuth browser-based auth, no API key storage Suspicious artifacts and egress
Critical Dangerous Command
curl -fsSL https://jimeng.jianying.com/cli | bash SKILL.md:60
Medium External URL
https://jimeng.jianying.com/cli SKILL.md:60
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 370 lines
Markdown 1 files · 370 lines
Files of concern · 1
SKILL.md Remote script execution via curl|bash · Opaque binary execution · File upload to external service · curl -fsSL https://jimeng.jianying.com/cli | bash · https://jimeng.jianying.com/cli
Security positives
Well-documented skill with clear purpose and scope
Browser-based OAuth authentication (no manual API key handling)
User-controlled execution (explicit /seedance command trigger)
Documented security warnings about sensitive file uploads
Only reads files when explicitly provided by user for upload purposes
Target domain (jimeng.jianying.com) is ByteDance's official platform domain
Credential storage documented as handled by official CLI (not in project)