安全决策报告

seedance-creator

Name: seedance-creator 可信度判断报告
Item: seedance-creator
Rating: 65
Author: ClawSafe

Legitimate AI video generation skill with concerning remote script execution pattern for CLI installation, though the target domain appears to be ByteDance's official platform.

安装决策优先来源: 手动上传扫描时间: 2026/4/3

文件 1

IOC 2

越权项 0

发现 3

最直接的威胁证据

严重危险命令

curl -fsSL https://jimeng.jianying.com/cli | bash

为什么得出这个结论

1/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

阻止

隐藏执行与外联

提取到 1 个高危 IOC 或外联信号。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

风险分是怎么被拉高的

Remote script execution via curl|bash +20

SKILL.md line 60 contains 'curl -fsSL https://jimeng.jianying.com/cli | bash' which executes remote code without integrity verification

No script transparency +10

Skill contains only documentation; actual behavior depends on opaque dreamina CLI binary

Legitimate use case and documentation +-10

Skill is well-documented with clear purpose (AI video generation) and declared file access scope

Official domain mitigates risk +-5

jimeng.jianying.com is ByteDance's official domain for 即梦 platform

最关键的证据

中危

Remote script execution via curl|bash

The installation command 'curl -fsSL https://jimeng.jianying.com/cli | bash' executes arbitrary remote code. While the domain appears legitimate (ByteDance's 即梦 platform), this pattern lacks integrity verification.

SKILL.md:60

Consider specifying a version and providing SHA256 checksum, or recommend manual download and verification.

低危

Opaque binary execution

The skill executes 'dreamina' CLI binary whose behavior cannot be audited from the skill files. All actual functionality (API calls, file processing) happens in the binary.

SKILL.md:1

Acceptable for CLI tool wrappers, but users should verify the dreamina binary source independently.

低危

File upload to external service

image2image and image2video commands upload user-provided local files to the 即梦 platform.

SKILL.md:93

Documentation includes warnings about sensitive content. Reasonable given the tool's purpose.

声明能力 vs 实际能力

文件系统 通过

声明 READ

→

推断 READ

SKILL.md:36 '此命令会上传本地图片到即梦平台'

命令执行 通过

声明 WRITE

→

推断 WRITE

SKILL.md:26-60 CLI commands for dreamina execution

网络访问 通过

声明 READ

→

推断 READ

SKILL.md:60 curl download + API calls to jimeng.jianying.com

环境变量 通过

声明 NONE

→

推断 NONE

No environment variable access detected

credential 通过

声明 NONE

→

推断 NONE

SKILL.md:46 states OAuth browser-based auth, no API key storage

可疑产物与外联

严重危险命令

curl -fsSL https://jimeng.jianying.com/cli | bash

SKILL.md:60

中危外部 URL

https://jimeng.jianying.com/cli

SKILL.md:60

依赖与供应链

没有结构化依赖告警。

文件构成

1 个文件 · 370 行

Markdown 1 个文件 · 370 行

需关注文件 · 1

SKILL.md Markdown · 370 行

Remote script execution via curl|bash · Opaque binary execution · File upload to external service · curl -fsSL https://jimeng.jianying.com/cli | bash · https://jimeng.jianying.com/cli

安全亮点

Well-documented skill with clear purpose and scope

Browser-based OAuth authentication (no manual API key handling)

User-controlled execution (explicit /seedance command trigger)

Documented security warnings about sensitive file uploads

Only reads files when explicitly provided by user for upload purposes

Target domain (jimeng.jianying.com) is ByteDance's official platform domain

Credential storage documented as handled by official CLI (not in project)