Skills
skills/chunpu/agent-skills/generate-video-by-seedance/Gen Agent Trust Hub

generate-video-by-seedance

Warn

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [DATA_EXFILTRATION]: The scripts/generate_video.py script contains a build_image_list function that reads local files based on paths provided in the --image or -i arguments.
  • Evidence: The script opens files using path.open("rb"), Base64-encodes the content, and includes it in the API request payload sent to https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks.
  • Risk: There is no validation or restriction on the file paths. An attacker could potentially trick the agent into reading sensitive files (e.g., SSH keys, configuration files) and sending them to the external API.
  • [COMMAND_EXECUTION]: The skill instructions and documentation encourage the execution of local Python scripts which perform network operations and filesystem access.
  • Evidence: The scripts generate_video.py and get_video_task_status.py make POST and GET requests to the Volcengine API and save downloaded files to the local filesystem.
  • [EXTERNAL_DOWNLOADS]: Both scripts include functionality to fetch content from a remote URL.
  • Evidence: requests.get(url, stream=True) is used to download the generated video file from the URL provided by the Ark API response. This originates from a well-known service.
  • [CREDENTIALS_UNSAFE]: The skill allows the Ark API key to be passed via command-line arguments or configuration files.
  • Evidence: The generate_video.py script accepts an --api-key argument and reads an api_key field from a YAML configuration file, which can lead to credential exposure in process lists or shell history.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 05:32 AM