← 返回 Skills 市场
seedance2-skill
作者
zhanghaonan777
· GitHub ↗
· v1.0.1
802
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install seedance2-skill
功能描述
即梦 Seedance 视频创意工作台。用户发图+文案时自主完成看图分析→文案扩写→运镜匹配→质量验证→API生成。触发词:即梦、Seedance、seedance、视频生成、视频提示词、AI视频、运镜、短剧、广告视频、视频延长、图生视频。
安全使用建议
Before installing: (1) Be aware the included Python CLI will upload any local images/videos/audios you pass to the Volcengine Ark API (remote endpoint in the script). If those files contain sensitive content (faces, private scenes, proprietary assets), don't upload them. (2) The skill's metadata does not declare the ARK_API_KEY env var, but the script and README require it — expect to set export ARK_API_KEY yourself; treat that API key as sensitive. (3) Verify you trust the source and the remote endpoint (ark.cn-beijing.volces.com) before providing your API key. (4) If you need stricter guarantees, review the script's code locally (it is readable) and consider removing or sandboxing callbacks or transmission of files, or run the script in an isolated environment. (5) If you are the publisher or integrator, update the skill metadata to declare ARK_API_KEY as a required credential and document the privacy implications (uploads, callback URLs) to remove this inconsistency.
功能分析
Type: OpenClaw Skill
Name: seedance2-skill
Version: 1.0.1
The `scripts/seedance.py` tool, designed to process user-provided media files, contains a local file disclosure vulnerability. It reads arbitrary local files (e.g., `~/.ssh/id_rsa`) if provided by the AI agent as input media, base64 encodes them, and sends them to the Volcengine Ark API. This allows an attacker to prompt the agent to exfiltrate sensitive local files. Additionally, the `ARK_API_KEY` is read from environment variables, which a compromised agent could be prompted to disclose. On macOS, the `os.system` call used to open downloaded files, while quoted, still presents a potential (though lower) remote code execution risk if the agent-controlled `download_dir` could be maliciously crafted.
能力评估
Purpose & Capability
Name/description, SKILL.md, README, and scripts/seedance.py are coherent: the skill is a video-prompt creative system that can call Volcengine/Seedance APIs. The embedded Python CLI is an appropriate client for that purpose. However, registry metadata declares no required env vars while documentation and the script both expect an ARK_API_KEY; that discrepancy is unexpected.
Instruction Scope
SKILL.md instructs the agent to analyze images, expand copy, validate camera work, and optionally call the API. Those steps stay within the stated scope. It does explicitly recommend using web_search and a local Python helper for simple preprocessing; the script will read local image/video/audio files, base64-encode them, and send them to the remote API. The instructions do not tell the agent to read unrelated system files or secrets, but they do permit uploading user media to an external service — a privacy consideration.
Install Mechanism
There is no install spec (instruction-only with an included Python script). No downloads from arbitrary URLs or archive extraction are prescribed. This is the lower-risk class for install mechanism.
Credentials
The code (scripts/seedance.py) requires an ARK_API_KEY environment variable and will exit if it is not set; README and SKILL.md also instruct users to export ARK_API_KEY. But registry metadata lists no required env vars or primary credential. This mismatch is a meaningful incoherence and could lead to surprising failures or accidental credential usage. Besides ARK_API_KEY, no other credentials are requested — which is proportionate — but the missing declaration is the problem. Also note: the script can accept a callback URL, which could be used to receive notifications or cause remote callbacks; users should consider privacy implications of uploading content to the remote API.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide configs. It does not ask for permanent agent-level privileges. Autonomous invocation is allowed (default), which is normal for skills, and is not combined here with other high-risk flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install seedance2-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/seedance2-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- English localization: Core documentation (SKILL.md and README) rewritten in English for broader accessibility.
- Chinese localization added: New files (SKILL_zh.md, README_zh.md) provide full documentation in Chinese.
- Removed English-only docs (README_EN.md, SKILL_EN.md) to streamline localization approach.
- Explicit requirement: All final video prompts must be generated in Chinese, regardless of user language.
- All feature and workflow descriptions remain intact; documentation is now fully bilingual (EN/zh) via separate files.
v1.0.0
- Initial release of seedance2 skill: Seedance 视频创意工作台。
- Supports creative video prompt generation from user-provided images, text, or both.
- Integrates multi-modal visual analysis, copywriting expansion, cinematic motion matching, and quality validation.
- Utilizes curated lens language and style vocabulary from reference.md.
- Enforces high creative standards: memory points, surprise, emotion, and narrative required in prompts.
- API guide and platform specifications included for seamless integration with Seedance 2.0 and fallback to previous models.
元数据
常见问题
seedance2-skill 是什么?
即梦 Seedance 视频创意工作台。用户发图+文案时自主完成看图分析→文案扩写→运镜匹配→质量验证→API生成。触发词:即梦、Seedance、seedance、视频生成、视频提示词、AI视频、运镜、短剧、广告视频、视频延长、图生视频。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 802 次。
如何安装 seedance2-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install seedance2-skill」即可一键安装,无需额外配置。
seedance2-skill 是免费的吗?
是的,seedance2-skill 完全免费(开源免费),可自由下载、安装和使用。
seedance2-skill 支持哪些平台?
seedance2-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 seedance2-skill?
由 zhanghaonan777(@zhanghaonan777)开发并维护,当前版本 v1.0.1。
推荐 Skills