中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:18 小时前 重新扫描
20 /100
ai-video-editor-zh
AI 视频剪辑器 — uploads videos to Sparki cloud API, creates AI processing projects, polls for completion, returns download links
A legitimate video editing automation skill with no malicious behavior — shell:WRITE is expected for curl-based API calls, network requests go to a single documented endpoint, and the hardcoded placeholder API key in docs is clearly marked.
技能名称ai-video-editor-zh
分析耗时38.0s
引擎pi
可以安装
No blocking action needed. Optionally pin the SPARKI_API_KEY example to a clearly fake value (e.g., sk_test_placeholder) in README.md to avoid confusion.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded placeholder API key in README.md 文档欺骗
README.md line 52 contains the literal string 'sk_live_your_key_here' inside a code block, which reads like a real credential example. While it's clearly a placeholder, it should use a test/placeholder prefix (e.g., sk_test_placeholder) to avoid confusion with live keys.
export SPARKI_API_KEY="sk_live_your_key_here"
→ Replace 'sk_live_your_key_here' with 'sk_test_placeholder' or a similarly clearly-fake value.
 README.md:52
低危
SKILL.md also shows sk_live_ placeholder in config example 文档欺骗
SKILL.md lines 58-59 show the same sk_live_your_key_here placeholder in the recommended openclaw config command. Same recommendation as above.
openclaw config set env.SPARKI_API_KEY "sk_live_your_key_here"
→ Use sk_test_placeholder or similar clearly-fake key format.
 SKILL.md:58
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md metadata declares shell:WRITE via bash tool; all 4 scripts use bash to …
网络访问 READ WRITE ✓ 一致 SKILL.md says 'network:READ' but scripts POST JSON bodies via curl — however thi…
文件系统 NONE READ ✓ 一致 upload_asset.sh reads file size via wc -c; edit_video.sh reads script paths — le…
环境变量 READ READ ✓ 一致 SPARKI_API_KEY accessed via ${VAR:-} pattern; not exfiltrated
技能调用 NONE WRITE ✓ 一致 edit_video.sh calls the other 3 scripts internally — expected orchestration
1 高危 9 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="sk_live_your_key_here"
README.md:52
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet
README.md:3
🔗
中危 外部 URL 外部 URL
https://clawhub.io
README.md:3
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/version-1.0.6-blue
README.md:4
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT-green
README.md:5
🔗
中危 外部 URL 外部 URL
https://sparki.io
README.md:10
🔗
中危 外部 URL 外部 URL
https://agent-enterprise-dev.aicoding.live/api/v1/business/projects/test
SKILL.md:90
🔗
中危 外部 URL 外部 URL
https://agent-enterprise-dev.aicoding.live/api/v1
scripts/create_project.sh:22
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:8

目录结构

7 文件 · 26.9 KB · 843 行
Shell 4f · 460L Markdown 2f · 378L JSON 1f · 5L
├─ 📁 scripts
│ ├─ 🔧 create_project.sh Shell 97L · 3.7 KB
│ ├─ 🔧 edit_video.sh Shell 197L · 6.7 KB
│ ├─ 🔧 get_project_status.sh Shell 83L · 2.6 KB
│ └─ 🔧 upload_asset.sh Shell 83L · 2.6 KB
├─ 📋 _meta.json JSON 5L · 134 B
├─ 📝 README.md Markdown 175L · 4.5 KB
└─ 📝 SKILL.md Markdown 203L · 6.7 KB

依赖分析 2 项

包名版本来源已知漏洞备注
curl N/A system binary Required CLI tool declared in SKILL.md metadata
jq N/A system binary Required CLI tool declared in SKILL.md metadata

安全亮点

✓ SPARKI_API_KEY is only transmitted via HTTP header, never written to disk
✓ All network requests target a single hardcoded domain: agent-enterprise-dev.aicoding.live
✓ Scripts use 'set -euo pipefail' for safe shell error handling
✓ All user inputs (file_path, tips, user_prompt, etc.) are properly quoted, mitigating shell injection
✓ File validation restricts uploads to mp4 format with a 3GB size cap
✓ Rate limiting (3s sleep between API calls) is implemented
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No base64-encoded payloads, eval(), or obfuscation techniques observed
✓ edit_video.sh provides exit codes for all failure modes; no silent failures
✓ No cron, startup hooks, or persistence mechanisms present
✓ No credential harvesting beyond the required SPARKI_API_KEY