byted-kickart-viral-replicator

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the subprocess module in scripts/replication.py for operational tasks:
  • It spawns background processes using subprocess.Popen to poll the status of long-running video generation tasks. This allows the agent to return control to the user while the task proceeds asynchronously.
  • It uses subprocess.call to interact with the platform's openclaw CLI, enabling the skill to deliver notifications and results back to the user context.
  • [EXTERNAL_DOWNLOADS]: The skill performs several legitimate network operations to support its core functionality:
  • It downloads video and image content from authenticated user-provided URLs and simplified Douyin/ByteDance domains (haohuo.jinritemai.com, v.douyin.com).
  • It fetches a static testing asset from a vendor-owned content delivery network at lf3-static.bytednsdoc.com.
  • scripts/upgrade.py and scripts/plan.py interact with Volcengine APIs (icp.volcengineapi.com) to check for skill updates and verify user subscription validity.
  • [CREDENTIALS_UNSAFE]: The skill manages authentication via environment variables (ACCESS_KEY_ID, SECRET_ACCESS_KEY, ARK_SKILL_API_KEY). The references/火山鉴权指南.md provides clear instructions for users to set these variables locally and includes explicit guidelines for the agent to mask these secrets and avoid persistent storage.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 02:24 AM
Security Audit — agent-trust-hub — byted-kickart-viral-replicator