中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:21 hr ago Rescan
15 /100
highlight-reels-zh
Sparki AI video editing skill for highlight reel generation — upload, edit, poll, and download video clips through the Sparki cloud API
A legitimate video-editing CLI tool backed by a cloud API with well-documented functionality; minor doc/code gaps (undocumented history file write, unpinned dependencies) but no malicious indicators.
Skill Namehighlight-reels-zh
Duration46.1s
Enginepi
Safe to install
Approve for use. Consider pinning dependency versions in pyproject.toml and documenting the sparki_history.json file write in SKILL.md.

Findings 2 items

Severity Finding Location
Low
Undocumented sparki_history.json write Doc Mismatch
cli.py writes project history to ~/.openclaw/sparki_history.json, but SKILL.md only declares filesystem:write for ~/.openclaw/config and ~/.openclaw/workspace/sparki/videos. The history file is a minor undocumented write.
hf = _history_file(); hf.parent.mkdir(parents=True, exist_ok=True); hf.write_text(...)
→ Add ~/.openclaw/sparki_history.json to the filesystem:write declaration in SKILL.md
 src/sparki_cli/cli.py:80
Low
Loose dependency version pinning Supply Chain
pyproject.toml declares dependencies with minimum version constraints (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0). Without exact pinning, a dependency could introduce a vulnerable or malicious update.
"typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"
→ Pin exact versions: "typer==0.9.0", "httpx==0.27.0", "pydantic==2.0.0"
 pyproject.toml:13
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned cli.py:66 — reads config from DEFAULT_CONFIG_DIR (~/.openclaw/config)
Filesystem WRITE WRITE ✓ Aligned cli.py:80 — writes sparki_history.json not explicitly declared in SKILL.md
Network READ READ ✓ Aligned client.py:58 — GET /api/v1/account/info only to agent-api.sparki.io
Network WRITE WRITE ✓ Aligned client.py:62 — POST /api/v1/assets/upload and /api/v1/projects/ to agent-api.spa…
7 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet
README.md:3
🔗
Medium External URL 外部 URL
https://clawhub.io
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.12-blue
README.md:4
🔗
Medium External URL 外部 URL
https://sparki.io
SKILL.md:17
🔗
Medium External URL 外部 URL
https://agent-api.sparki.io
src/sparki_cli/constants.py:61
🔗
Medium External URL 外部 URL
https://t.me/Sparki_AI_bot/upload
src/sparki_cli/constants.py:62
🔗
Medium External URL 外部 URL
https://sparki.io/pricing
src/sparki_cli/constants.py:101

File Tree

11 files · 33.2 KB · 1009 lines
Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L
├─ 📁 src
│ └─ 📁 sparki_cli
│ ├─ 🐍 __init__.py Python 3L · 81 B
│ ├─ 🐍 cli.py Python 507L · 17.1 KB
│ ├─ 🐍 client.py Python 99L · 4.0 KB
│ ├─ 🐍 config.py Python 55L · 1.9 KB
│ ├─ 🐍 constants.py Python 139L · 4.8 KB
│ ├─ 🐍 models.py Python 59L · 1.3 KB
│ └─ 🐍 output.py Python 42L · 1.0 KB
├─ 📋 _meta.json JSON 4L · 58 B
├─ 📄 pyproject.toml TOML 31L · 579 B
├─ 📝 README.md Markdown 28L · 953 B
└─ 📝 SKILL.md Markdown 42L · 1.4 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
typer >=0.9.0 pip No Version not pinned
httpx >=0.27.0 pip No Version not pinned
pydantic >=2.0.0 pip No Version not pinned

Security Positives

✓ No shell execution, subprocess, or command injection found
✓ No obfuscation (base64, eval, atob) anywhere in the codebase
✓ No credential exfiltration — API key is used only for Sparki backend authentication via X-API-Key header
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, /etc/)
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or prompt injection instructions
✓ All network traffic is confined to the declared domain agent-api.sparki.io (API endpoints)
✓ Download URLs originate from the server's own project status response, not from untrusted external input
✓ Clean, well-structured Python codebase with no suspicious patterns