faceless-video-zh 安全扫描报告 — 可信 | ClawSafe

5 /100

faceless-video-zh

Sparki AI video editor CLI for faceless/no-face content scenarios

A straightforward video-editing CLI wrapper for the Sparki AI service; no shell execution, no obfuscation, no credential exfiltration, and all filesystem/network operations are fully declared in SKILL.md.

技能名称faceless-video-zh

分析耗时36.1s

引擎pi

✓

可以安装

Approve for use. Consider pinning dependency versions in pyproject.toml for supply-chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency upper bounds 供应链 pyproject.toml declares dependencies without upper version bounds (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0). While not exploitable in the current snapshot, a compromised future release could be silently installed. `typer>=0.9.0` → Pin upper bounds, e.g. typer>=0.9.0,<1.0.0, to limit exposure to breaking changes and supply-chain attacks.	`pyproject.toml:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md line 8: fs.write [$HOME/.openclaw/config, $HOME/.openclaw/workspace/spa…
文件系统	`READ`	`READ`	✓ 一致	SKILL.md line 7: fs.read [$CWD]; cli.py:69 reads input video files
网络访问	`READ`	`READ`	✓ 一致	SKILL.md line 9: network.domains [agent-api.sparki.io]; client.py:32-62 makes on…

7 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-Skill-blueviolet

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.io

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.12-blue

README.md:4

🔗

中危外部 URL 外部 URL

https://sparki.io

SKILL.md:17

🔗

中危外部 URL 外部 URL

https://agent-api.sparki.io

src/sparki_cli/constants.py:61

🔗

中危外部 URL 外部 URL

https://t.me/Sparki_AI_bot/upload

src/sparki_cli/constants.py:62

🔗

中危外部 URL 外部 URL

https://sparki.io/pricing

src/sparki_cli/constants.py:101

目录结构

11 文件 · 33.2 KB · 1009 行

Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L

├─ ▾ 📁 src

│ └─ ▾ 📁 sparki_cli

│ ├─ 🐍 __init__.py Python 3L · 81 B

│ ├─ 🐍 cli.py Python 507L · 17.1 KB

│ ├─ 🐍 client.py Python 99L · 4.0 KB

│ ├─ 🐍 config.py Python 55L · 1.9 KB

│ ├─ 🐍 constants.py Python 139L · 4.8 KB

│ ├─ 🐍 models.py Python 59L · 1.3 KB

│ └─ 🐍 output.py Python 42L · 1.0 KB

├─ 📋 _meta.json JSON 4L · 57 B

├─ 📄 pyproject.toml TOML 31L · 579 B

├─ 📝 README.md Markdown 28L · 906 B

└─ 📝 SKILL.md Markdown 42L · 1.4 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`typer`	`>=0.9.0`	pip	否	Version lower bound only, no upper bound
`httpx`	`>=0.27.0`	pip	否	Version lower bound only, no upper bound
`pydantic`	`>=2.0.0`	pip	否	Version lower bound only, no upper bound

安全亮点

✓ All shell/filesystem/network access is explicitly declared in SKILL.md permissions block

✓ No subprocess, os.system, or any shell execution code present

✓ No base64, eval, or any code-obfuscation patterns found

✓ API key is stored locally only in ~/.openclaw/config/sparki.json — never exfiltrated

✓ API key is sent exclusively to the declared domain agent-api.sparki.io

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) or environment variable enumeration

✓ No reverse shell, C2, or data-exfiltration behavior

✓ No hidden instructions in comments or strings

✓ httpx client is used with explicit timeouts and no redirect surprises

✓ Download results are written to the declared output directory only