tiktok-viral-editor-zh 安全扫描报告 — 低风险 | ClawSafe

20 /100

tiktok-viral-editor-zh

TikTok爆款视频剪辑skill，使用Sparki AI进行视频编辑

Legitimate TikTok video editing skill with clean implementation, no malicious patterns, and proper credential handling.

技能名称tiktok-viral-editor-zh

分析耗时41.5s

引擎pi

✓

可以安装

This skill is safe to use. The only minor issue is that download_result() fetches from variable URLs (not just sparki.io), but this is necessary for video delivery and is standard practice for cloud-based video services.

安全发现 2 项

严重性	安全发现	位置
低危	Download URLs not explicitly declared in network permissions 文档欺骗 The network permission in _meta.json only lists agent-api.sparki.io, but the download_result() function fetches from variable result URLs which could be any CDN domain. This is necessary for video delivery but not documented. `async with httpx.AsyncClient(timeout=600, follow_redirects=True) as c: async with c.stream("GET", url) as resp:` → Update _meta.json network permissions to include download CDN domains or use a broader pattern like '*.sparki.io'	`src/sparki_cli/client.py:95`
低危	Dependencies not version-pinned 供应链 pyproject.toml uses >= version constraints for all dependencies (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0), which could lead to unexpected behavior if major versions change. `"typer>=0.9.0"` → Pin exact versions or use compatible release specifiers (e.g., typer~=0.12.0) to ensure reproducible builds	`pyproject.toml:10`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	cli.py:79-81 reads sparki_history.json
文件系统	`WRITE`	`WRITE`	✓ 一致	config.py:36 saves to ~/.openclaw/config/sparki.json
网络访问	`agent-api.sparki.io`	`agent-api.sparki.io + variable CDN URLs for downloads`	✓ 一致	client.py:95 downloads from result_url parameter
环境变量	`SPARKI_API_KEY`	`SPARKI_API_KEY, SPARKI_UPLOAD_TG_LINK`	✓ 一致	config.py:18-21 reads from os.environ

7 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-Skill-blueviolet

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.io

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.12-blue

README.md:4

🔗

中危外部 URL 外部 URL

https://sparki.io

SKILL.md:17

🔗

中危外部 URL 外部 URL

https://agent-api.sparki.io

src/sparki_cli/constants.py:61

🔗

中危外部 URL 外部 URL

https://t.me/Sparki_AI_bot/upload

src/sparki_cli/constants.py:62

🔗

中危外部 URL 外部 URL

https://sparki.io/pricing

src/sparki_cli/constants.py:101

目录结构

11 文件 · 33.3 KB · 1009 行

Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L

├─ ▾ 📁 src

│ └─ ▾ 📁 sparki_cli

│ ├─ 🐍 __init__.py Python 3L · 81 B

│ ├─ 🐍 cli.py Python 507L · 17.1 KB

│ ├─ 🐍 client.py Python 99L · 4.0 KB

│ ├─ 🐍 config.py Python 55L · 1.9 KB

│ ├─ 🐍 constants.py Python 139L · 4.8 KB

│ ├─ 🐍 models.py Python 59L · 1.3 KB

│ └─ 🐍 output.py Python 42L · 1.0 KB

├─ 📋 _meta.json JSON 4L · 62 B

├─ 📄 pyproject.toml TOML 31L · 579 B

├─ 📝 README.md Markdown 28L · 972 B

└─ 📝 SKILL.md Markdown 42L · 1.4 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`typer`	`>=0.9.0`	pip	否	Version not pinned
`httpx`	`>=0.27.0`	pip	否	Version not pinned
`pydantic`	`>=2.0.0`	pip	否	Version not pinned

安全亮点

✓ No shell execution, subprocess, or system command invocations detected

✓ No base64 encoding or obfuscated code patterns

✓ No credential exfiltration - API key is stored locally only

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env file reading)

✓ No network C2 communication or data exfiltration patterns

✓ Clean Python codebase with no reverse shell or backdoor code

✓ API key properly scoped to authenticated API calls only

✓ All file operations confined to declared config directories