seedance-submitter

SUSPICIOUS: the skill’s capabilities mostly match its stated purpose, but its real data flow is insufficiently transparent. It uploads local assets and prompt content through opaque local scripts to an unspecified hosted capability, creating medium risk of third-party routing or unreviewed credential handling even though no overtly malicious behavior is shown.

No clear evidence of intentional malware/backdoor behavior is present in this module alone. However, it provides powerful capabilities: it can read arbitrary local files (via resolved localFilePath) and write arbitrary files (via resolved outputPath) using remote-provided base64 content, with minimal validation/containment. If upstream callers or the bridge supply untrusted paths/urls/content, this can enable data exfiltration (upload) and unintended file overwrite or persistence-like impact (download).

SUSPICIOUS: the skill’s capabilities broadly match its stated image-batch purpose, but the true network endpoints and trust boundary are opaque. Uploading local media and routing generation through internal aliases/local scripts without disclosing official provider domains creates medium risk around data flow integrity, though there is no strong evidence of outright malware or credential theft in the supplied text.