byted-kickart-viral-replicator
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
subprocessmodule inscripts/replication.pyfor operational tasks: - It spawns background processes using
subprocess.Popento poll the status of long-running video generation tasks. This allows the agent to return control to the user while the task proceeds asynchronously. - It uses
subprocess.callto interact with the platform'sopenclawCLI, enabling the skill to deliver notifications and results back to the user context. - [EXTERNAL_DOWNLOADS]: The skill performs several legitimate network operations to support its core functionality:
- It downloads video and image content from authenticated user-provided URLs and simplified Douyin/ByteDance domains (
haohuo.jinritemai.com,v.douyin.com). - It fetches a static testing asset from a vendor-owned content delivery network at
lf3-static.bytednsdoc.com. scripts/upgrade.pyandscripts/plan.pyinteract with Volcengine APIs (icp.volcengineapi.com) to check for skill updates and verify user subscription validity.- [CREDENTIALS_UNSAFE]: The skill manages authentication via environment variables (
ACCESS_KEY_ID,SECRET_ACCESS_KEY,ARK_SKILL_API_KEY). Thereferences/火山鉴权指南.mdprovides clear instructions for users to set these variables locally and includes explicit guidelines for the agent to mask these secrets and avoid persistent storage.
Audit Metadata