byted-kickart-saliency-segmenter

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands for file management and execution of its internal scripts.
  • Instructions in SKILL.md use unzip to process user-provided ZIP archives and mkdir to prepare working directories in /tmp/openclaw/.
  • The agent is directed to execute several Python 3.12 scripts (plan.py, upload.py, segment.py, upgrade.py) to orchestrate the image processing workflow.
  • [EXTERNAL_DOWNLOADS]: The skill fetches images from external network locations to facilitate processing.
  • It downloads images from user-supplied URLs using curl as part of the initial image preparation step.
  • The segment.py script downloads resulting assets (subject and mask images) from ByteDance's content delivery infrastructure (bytednsdoc.com).
  • [DATA_EXFILTRATION]: Local image data is uploaded to external services for processing.
  • Local image files provided by the user are uploaded to the ByteDance "Muse" media service (iccloud_muse) via the upload.py and media.py scripts.
  • [CREDENTIALS_UNSAFE]: The skill instructions direct the agent to facilitate cloud service credential configuration.
  • Instructions in SKILL.md guide the agent to ask the user for Volcengine Access Keys (ACCESS_KEY_ID, SECRET_ACCESS_KEY) if they are not pre-configured, using export to set them for the current session.
  • These credentials are used exclusively to authenticate requests to the vendor's Volcengine API platform.
  • [REMOTE_CODE_EXECUTION]: The skill features a dynamic update mechanism that retrieves execution logic from a remote server.
  • The upgrade.py script queries the vendor's API for version information and an install_command string.
  • Per instructions in SKILL.md, the agent is prompted to execute this server-provided command if the user consents to an update, allowing for automated skill maintenance via the vendor's infrastructure.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 10:42 AM
Security Audit — agent-trust-hub — byted-kickart-saliency-segmenter