Scan Report
20 /100
ai-video-editor-zh
AI 视频剪辑器 — uploads videos to Sparki cloud API, creates AI processing projects, polls for completion, returns download links
A legitimate video editing automation skill with no malicious behavior — shell:WRITE is expected for curl-based API calls, network requests go to a single documented endpoint, and the hardcoded placeholder API key in docs is clearly marked.
Safe to install
No blocking action needed. Optionally pin the SPARKI_API_KEY example to a clearly fake value (e.g., sk_test_placeholder) in README.md to avoid confusion.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Hardcoded placeholder API key in README.md Doc Mismatch | README.md:52 |
| Low | SKILL.md also shows sk_live_ placeholder in config example Doc Mismatch | SKILL.md:58 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md metadata declares shell:WRITE via bash tool; all 4 scripts use bash to … |
| Network | READ | WRITE | ✓ Aligned | SKILL.md says 'network:READ' but scripts POST JSON bodies via curl — however thi… |
| Filesystem | NONE | READ | ✓ Aligned | upload_asset.sh reads file size via wc -c; edit_video.sh reads script paths — le… |
| Environment | READ | READ | ✓ Aligned | SPARKI_API_KEY accessed via ${VAR:-} pattern; not exfiltrated |
| Skill Invoke | NONE | WRITE | ✓ Aligned | edit_video.sh calls the other 3 scripts internally — expected orchestration |
1 High 9 findings
High API Key 疑似硬编码凭证
API_KEY="sk_live_your_key_here" README.md:52 Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet README.md:3 Medium External URL 外部 URL
https://clawhub.io README.md:3 Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.6-blue README.md:4 Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-green README.md:5 Medium External URL 外部 URL
https://sparki.io README.md:10 Medium External URL 外部 URL
https://agent-enterprise-dev.aicoding.live/api/v1/business/projects/test SKILL.md:90 Medium External URL 外部 URL
https://agent-enterprise-dev.aicoding.live/api/v1 scripts/create_project.sh:22 Info Email 邮箱地址
[email protected] SKILL.md:8 File Tree
7 files · 26.9 KB · 843 lines Shell 4f · 460L
Markdown 2f · 378L
JSON 1f · 5L
├─
▾
scripts
│ ├─
create_project.sh
Shell
│ ├─
edit_video.sh
Shell
│ ├─
get_project_status.sh
Shell
│ └─
upload_asset.sh
Shell
├─
_meta.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
curl | N/A | system binary | No | Required CLI tool declared in SKILL.md metadata |
jq | N/A | system binary | No | Required CLI tool declared in SKILL.md metadata |
Security Positives
✓ SPARKI_API_KEY is only transmitted via HTTP header, never written to disk
✓ All network requests target a single hardcoded domain: agent-enterprise-dev.aicoding.live
✓ Scripts use 'set -euo pipefail' for safe shell error handling
✓ All user inputs (file_path, tips, user_prompt, etc.) are properly quoted, mitigating shell injection
✓ File validation restricts uploads to mp4 format with a 3GB size cap
✓ Rate limiting (3s sleep between API calls) is implemented
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No base64-encoded payloads, eval(), or obfuscation techniques observed
✓ edit_video.sh provides exit codes for all failure modes; no silent failures
✓ No cron, startup hooks, or persistence mechanisms present
✓ No credential harvesting beyond the required SPARKI_API_KEY