video-generate 安全扫描报告 — 可信 | ClawSafe

5 /100

video-generate

Generate videos using Doubao Seedance models

Legitimate video generation skill that makes API calls to ByteDance's Volcano Engine for AI video synthesis. No malicious behavior detected.

技能名称video-generate

分析耗时22.9s

引擎pi

✓

可以安装

No action needed. The skill performs as documented.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned httpx dependency 供应链 The httpx library is used without version pinning, which could allow a supply chain attack if a malicious version is published. `import httpx` → Pin httpx to a specific version, e.g., httpx>=0.24.0,<0.28.0	`scripts/video_generate.py:17`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	httpx POST/GET to ark.cn-beijing.volces.com/api/v3
环境变量	`READ`	`READ`	✓ 一致	os.getenv('ARK_API_KEY') line 32
文件系统	`NONE`	`NONE`	—	No file operations in code
命令执行	`NONE`	`NONE`	—	No subprocess or shell commands

3 项发现

🔗

中危外部 URL 外部 URL

http://www.apache.org/licenses/

LICENSE.txt:4

🔗

中危外部 URL 外部 URL

http://www.apache.org/licenses/LICENSE-2.0

LICENSE.txt:196

🔗

中危外部 URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

scripts/video_generate.py:17

3 文件 · 34.3 KB · 914 行

Python 1f · 513L Text 1f · 201L Markdown 1f · 200L

├─ ▾ 📁 scripts

│ └─ 🐍 video_generate.py Python 513L · 15.1 KB

├─ 📄 LICENSE.txt Text 201L · 11.1 KB

└─ 📝 SKILL.md Markdown 200L · 8.1 KB

包名	版本	来源	已知漏洞	备注
`httpx`	`*`	pip	否	Version not pinned

✓ SKILL.md documentation is comprehensive and matches code implementation

✓ API key only used for authentication to the legitimate Volcano Engine API

✓ No credential exfiltration or data theft patterns

✓ No shell execution, subprocess, or command injection vectors

✓ No obfuscation techniques (base64, eval, atob)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No remote script execution (curl|bash, wget|sh)

✓ Uses httpx async client with proper timeout handling

✓ Error handling properly implemented with informative messages