faceless-video Security Report — Trusted | ClawSafe

5 /100

faceless-video

Scenario-focused Sparki skill for faceless or no-camera-presence video outputs

Legitimate video editing CLI tool with no malicious behavior detected. All functionality is declared, scoped, and performs standard API-based video processing.

Skill Namefaceless-video

Duration41.7s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns requiring action.

Findings 1 items

Severity	Finding	Location
Low	Implicit config directory creation Priv Escalation The skill auto-creates ~/.openclaw/config and ~/.openclaw/workspace/sparki/videos directories on first run. This is within declared scope but happens silently. `self.config_dir.mkdir(parents=True, exist_ok=True)` → Document auto-creation behavior in SKILL.md for transparency	`src/sparki_cli/config.py:15`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares write to ~/.openclaw/config and ~/.openclaw/workspace/sparki/v…
Network	`READ`	`READ`	✓ Aligned	client.py only communicates with agent-api.sparki.io
Environment	`NONE`	`READ`	✓ Aligned	config.py:17 reads SPARKI_API_KEY env var, only for auth purposes
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found

7 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-Skill-blueviolet

README.md:3

🔗

Medium External URL 外部 URL

https://clawhub.io

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.12-blue

README.md:4

🔗

Medium External URL 外部 URL

https://sparki.io

SKILL.md:17

🔗

Medium External URL 外部 URL

https://agent-api.sparki.io

src/sparki_cli/constants.py:61

🔗

Medium External URL 外部 URL

https://t.me/Sparki_AI_bot/upload

src/sparki_cli/constants.py:62

🔗

Medium External URL 外部 URL

https://sparki.io/pricing

src/sparki_cli/constants.py:101

File Tree

11 files · 33.3 KB · 1010 lines

Python 7f · 904L Markdown 2f · 71L TOML 1f · 31L JSON 1f · 4L

├─ ▾ 📁 src

│ └─ ▾ 📁 sparki_cli

│ ├─ 🐍 __init__.py Python 3L · 81 B

│ ├─ 🐍 cli.py Python 507L · 17.1 KB

│ ├─ 🐍 client.py Python 99L · 4.0 KB

│ ├─ 🐍 config.py Python 55L · 1.9 KB

│ ├─ 🐍 constants.py Python 139L · 4.8 KB

│ ├─ 🐍 models.py Python 59L · 1.3 KB

│ └─ 🐍 output.py Python 42L · 1.0 KB

├─ 📋 _meta.json JSON 4L · 54 B

├─ 📄 pyproject.toml TOML 31L · 579 B

├─ 📝 README.md Markdown 28L · 964 B

└─ 📝 SKILL.md Markdown 43L · 1.5 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`typer`	`>=0.9.0`	pip	No	Version pinned to major version
`httpx`	`>=0.27.0`	pip	No	Version pinned to major version
`pydantic`	`>=2.0.0`	pip	No	Version pinned to major version

Security Positives

✓ No shell execution (subprocess, os.system) detected in any file

✓ No credential harvesting - API key used only for Sparki API authentication

✓ No data exfiltration - all network traffic goes to declared agent-api.sparki.io domain only

✓ No obfuscation (base64, eval, atob) found in codebase

✓ Documentation accurately reflects code behavior - no doc-to-code mismatch

✓ No hidden functionality discovered

✓ No supply chain risks - dependencies from PyPI with version constraints

✓ No persistence mechanisms (cron, startup hooks, backdoors) found

✓ No sensitive path access outside declared config/output directories

✓ Clean code architecture with separation of concerns (CLI, client, config, models, output)

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives