seedance-creator 安全扫描报告 — 可疑 | ClawSafe

35 /100

seedance-creator

AI video/image generation assistant for ByteDance's 即梦 (Seedance 2.0) platform

Legitimate AI video generation skill with concerning remote script execution pattern for CLI installation, though the target domain appears to be ByteDance's official platform.

技能名称seedance-creator

分析耗时31.0s

引擎pi

⚠

谨慎使用

Consider adding version-pinned installation instructions or providing checksum verification for the downloaded CLI binary. The curl|bash pattern is common for CLI tools but represents unnecessary risk.

安全发现 3 项

严重性	安全发现	位置
中危	Remote script execution via curl\|bash The installation command 'curl -fsSL https://jimeng.jianying.com/cli \| bash' executes arbitrary remote code. While the domain appears legitimate (ByteDance's 即梦 platform), this pattern lacks integrity verification. `curl -fsSL https://jimeng.jianying.com/cli \| bash` → Consider specifying a version and providing SHA256 checksum, or recommend manual download and verification.	`SKILL.md:60`
低危	Opaque binary execution The skill executes 'dreamina' CLI binary whose behavior cannot be audited from the skill files. All actual functionality (API calls, file processing) happens in the binary. `This skill should be used when the user asks to 'generate video prompts'... using the dreamina CLI tool` → Acceptable for CLI tool wrappers, but users should verify the dreamina binary source independently.	`SKILL.md:1`
低危	File upload to external service image2image and image2video commands upload user-provided local files to the 即梦 platform. `dreamina image2image --images ./input.png` → Documentation includes warnings about sensitive content. Reasonable given the tool's purpose.	`SKILL.md:93`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md:36 '此命令会上传本地图片到即梦平台'
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:26-60 CLI commands for dreamina execution
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:60 curl download + API calls to jimeng.jianying.com
环境变量	`NONE`	`NONE`	—	No environment variable access detected
凭证	`NONE`	`NONE`	—	SKILL.md:46 states OAuth browser-based auth, no API key storage

1 严重 2 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://jimeng.jianying.com/cli | bash

SKILL.md:60

🔗

中危外部 URL 外部 URL

https://jimeng.jianying.com/cli

SKILL.md:60

目录结构

1 文件 · 11.8 KB · 370 行

Markdown 1f · 370L

└─ 📝 SKILL.md Markdown 370L · 11.8 KB

安全亮点

✓ Well-documented skill with clear purpose and scope

✓ Browser-based OAuth authentication (no manual API key handling)

✓ User-controlled execution (explicit /seedance command trigger)

✓ Documented security warnings about sensitive file uploads

✓ Only reads files when explicitly provided by user for upload purposes

✓ Target domain (jimeng.jianying.com) is ByteDance's official platform domain

✓ Credential storage documented as handled by official CLI (not in project)