Scan Report
5 /100
video-generate
Generate videos using Doubao Seedance models
Legitimate video generation skill that makes API calls to ByteDance's Volcano Engine for AI video synthesis. No malicious behavior detected.
Safe to install
No action needed. The skill performs as documented.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned httpx dependency Supply Chain | scripts/video_generate.py:17 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | httpx POST/GET to ark.cn-beijing.volces.com/api/v3 |
| Environment | READ | READ | ✓ Aligned | os.getenv('ARK_API_KEY') line 32 |
| Filesystem | NONE | NONE | — | No file operations in code |
| Shell | NONE | NONE | — | No subprocess or shell commands |
3 findings
Medium External URL 外部 URL
http://www.apache.org/licenses/ LICENSE.txt:4 Medium External URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0 LICENSE.txt:196 Medium External URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3 scripts/video_generate.py:17 File Tree
3 files · 34.3 KB · 914 lines Python 1f · 513L
Text 1f · 201L
Markdown 1f · 200L
├─
▾
scripts
│ └─
video_generate.py
Python
├─
LICENSE.txt
Text
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
httpx | * | pip | No | Version not pinned |
Security Positives
✓ SKILL.md documentation is comprehensive and matches code implementation
✓ API key only used for authentication to the legitimate Volcano Engine API
✓ No credential exfiltration or data theft patterns
✓ No shell execution, subprocess, or command injection vectors
✓ No obfuscation techniques (base64, eval, atob)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No remote script execution (curl|bash, wget|sh)
✓ Uses httpx async client with proper timeout handling
✓ Error handling properly implemented with informative messages