中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:21 hr ago Rescan
5 /100
faceless-video-zh
Sparki AI video editor CLI for faceless/no-face content scenarios
A straightforward video-editing CLI wrapper for the Sparki AI service; no shell execution, no obfuscation, no credential exfiltration, and all filesystem/network operations are fully declared in SKILL.md.
Skill Namefaceless-video-zh
Duration36.1s
Enginepi
Safe to install
Approve for use. Consider pinning dependency versions in pyproject.toml for supply-chain hygiene.

Findings 1 items

Severity Finding Location
Low
Unpinned dependency upper bounds Supply Chain
pyproject.toml declares dependencies without upper version bounds (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0). While not exploitable in the current snapshot, a compromised future release could be silently installed.
typer>=0.9.0
→ Pin upper bounds, e.g. typer>=0.9.0,<1.0.0, to limit exposure to breaking changes and supply-chain attacks.
 pyproject.toml:11
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md line 8: fs.write [$HOME/.openclaw/config, $HOME/.openclaw/workspace/spa…
Filesystem READ READ ✓ Aligned SKILL.md line 7: fs.read [$CWD]; cli.py:69 reads input video files
Network READ READ ✓ Aligned SKILL.md line 9: network.domains [agent-api.sparki.io]; client.py:32-62 makes on…
7 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet
README.md:3
🔗
Medium External URL 外部 URL
https://clawhub.io
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.12-blue
README.md:4
🔗
Medium External URL 外部 URL
https://sparki.io
SKILL.md:17
🔗
Medium External URL 外部 URL
https://agent-api.sparki.io
src/sparki_cli/constants.py:61
🔗
Medium External URL 外部 URL
https://t.me/Sparki_AI_bot/upload
src/sparki_cli/constants.py:62
🔗
Medium External URL 外部 URL
https://sparki.io/pricing
src/sparki_cli/constants.py:101

File Tree

11 files · 33.2 KB · 1009 lines
Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L
├─ 📁 src
│ └─ 📁 sparki_cli
│ ├─ 🐍 __init__.py Python 3L · 81 B
│ ├─ 🐍 cli.py Python 507L · 17.1 KB
│ ├─ 🐍 client.py Python 99L · 4.0 KB
│ ├─ 🐍 config.py Python 55L · 1.9 KB
│ ├─ 🐍 constants.py Python 139L · 4.8 KB
│ ├─ 🐍 models.py Python 59L · 1.3 KB
│ └─ 🐍 output.py Python 42L · 1.0 KB
├─ 📋 _meta.json JSON 4L · 57 B
├─ 📄 pyproject.toml TOML 31L · 579 B
├─ 📝 README.md Markdown 28L · 906 B
└─ 📝 SKILL.md Markdown 42L · 1.4 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
typer >=0.9.0 pip No Version lower bound only, no upper bound
httpx >=0.27.0 pip No Version lower bound only, no upper bound
pydantic >=2.0.0 pip No Version lower bound only, no upper bound

Security Positives

✓ All shell/filesystem/network access is explicitly declared in SKILL.md permissions block
✓ No subprocess, os.system, or any shell execution code present
✓ No base64, eval, or any code-obfuscation patterns found
✓ API key is stored locally only in ~/.openclaw/config/sparki.json — never exfiltrated
✓ API key is sent exclusively to the declared domain agent-api.sparki.io
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) or environment variable enumeration
✓ No reverse shell, C2, or data-exfiltration behavior
✓ No hidden instructions in comments or strings
✓ httpx client is used with explicit timeouts and no redirect surprises
✓ Download results are written to the declared output directory only