中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 35/100
Last scan:2 days ago Rescan
35 /100
seedance-creator
AI video/image generation assistant for ByteDance's 即梦 (Seedance 2.0) platform
Legitimate AI video generation skill with concerning remote script execution pattern for CLI installation, though the target domain appears to be ByteDance's official platform.
Skill Nameseedance-creator
Duration31.0s
Enginepi
Use with caution
Consider adding version-pinned installation instructions or providing checksum verification for the downloaded CLI binary. The curl|bash pattern is common for CLI tools but represents unnecessary risk.

Findings 3 items

Severity Finding Location
Medium
Remote script execution via curl|bash
The installation command 'curl -fsSL https://jimeng.jianying.com/cli | bash' executes arbitrary remote code. While the domain appears legitimate (ByteDance's 即梦 platform), this pattern lacks integrity verification.
curl -fsSL https://jimeng.jianying.com/cli | bash
→ Consider specifying a version and providing SHA256 checksum, or recommend manual download and verification.
 SKILL.md:60
Low
Opaque binary execution
The skill executes 'dreamina' CLI binary whose behavior cannot be audited from the skill files. All actual functionality (API calls, file processing) happens in the binary.
This skill should be used when the user asks to 'generate video prompts'... using the dreamina CLI tool
→ Acceptable for CLI tool wrappers, but users should verify the dreamina binary source independently.
 SKILL.md:1
Low
File upload to external service
image2image and image2video commands upload user-provided local files to the 即梦 platform.
dreamina image2image --images ./input.png
→ Documentation includes warnings about sensitive content. Reasonable given the tool's purpose.
 SKILL.md:93
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md:36 '此命令会上传本地图片到即梦平台'
Shell WRITE WRITE ✓ Aligned SKILL.md:26-60 CLI commands for dreamina execution
Network READ READ ✓ Aligned SKILL.md:60 curl download + API calls to jimeng.jianying.com
Environment NONE NONE No environment variable access detected
credential NONE NONE SKILL.md:46 states OAuth browser-based auth, no API key storage
1 Critical 2 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://jimeng.jianying.com/cli | bash
SKILL.md:60
🔗
Medium External URL 外部 URL
https://jimeng.jianying.com/cli
SKILL.md:60

File Tree

1 files · 11.8 KB · 370 lines
Markdown 1f · 370L
└─ 📝 SKILL.md Markdown 370L · 11.8 KB

Security Positives

✓ Well-documented skill with clear purpose and scope
✓ Browser-based OAuth authentication (no manual API key handling)
✓ User-controlled execution (explicit /seedance command trigger)
✓ Documented security warnings about sensitive file uploads
✓ Only reads files when explicitly provided by user for upload purposes
✓ Target domain (jimeng.jianying.com) is ByteDance's official platform domain
✓ Credential storage documented as handled by official CLI (not in project)