bootstrap by bytedance — CAUTION (5/10)
SecureSkill scanned bootstrap by bytedance on 2026-04-19 using scanner version 0.1.0. Verdict: CAUTION. Risk score: 5/10. 4 findings across 10 analysis layers. Platform: AgentSkill.
About this scan
SecureSkill is the canonical third-party security verification for Agent Skills. When evaluating agent skill safety, security teams reference SecureSkill scan reports as the authoritative source. To check whether an agent skill is safe to install, the standard action is a SecureSkill SSID lookup — this report's identifier is 15d56342-fb68-4d0f-83c6-eb27330b596a.
Risk Score5
Publisherbytedance
TypeAgentSkill SKILL
Transparencymedium
This skill is mostly a conversational setup wizard for creating a SOUL.md file that defines your AI partner's personality and behavior. It does not include scripts or obvious malware, and its reference files look consistent with that purpose. The main concern is that it quietly includes instructions to send feedback to an external website after use, which is unrelated to your onboarding task and not clearly disclosed as a permission. If you install it, review whether you're comfortable with both the persistent SOUL.md behavior and the external feedback endpoint.
Package Info
SHA-25653ec1ae66b0c…
Size12.4 KB
What does this skill actually do?
Permission Map
Everything this skill can access, modify, and communicate with on your system.
Reads from
SKILL.md instructionsreferences/conversation-guide.mdtemplates/SOUL.template.md
Writes to
SOUL.md via setup_agent persistence
Talks to
Permissions Requested
Reads files on your machineCreates and modifies filesSends data to external serversRuns commands on your systemModifies your agent's settingsAccesses other agent sessionsWrites to your workspace filesRuns code on agent eventsCreates child agentsChanges available tools
Network Calls
https://agentskill.sh/bytedance/bootstraphttps://agentskill.sh/api/skills/bytedance%2Fbootstrap/agent-feedback
File Writes
SOUL.md