ai-commentary-zh Security Report — Trusted | ClawSafe

5 /100

ai-commentary-zh

Sparki AI video editing skill with commentary/narrative focus, Chinese localization

This is a legitimate video editing CLI skill for Sparki AI that strictly adheres to its declared permissions with no malicious behavior.

Skill Nameai-commentary-zh

Duration32.4s

Enginepi

✓

Safe to install

This skill is safe to use. No action required.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	_meta.json: fs.read=[$CWD]; cli.py: Path.exists(), f.stat().st_size
Filesystem	`WRITE`	`WRITE`	✓ Aligned	_meta.json: fs.write=[$HOME/.openclaw/config, $HOME/.openclaw/workspace/sparki/v…
Network	`READ`	`READ`	✓ Aligned	_meta.json: network.domains=[agent-api.sparki.io]; client.py: all httpx calls go…
Shell	`NONE`	`NONE`	—	cli.py: No subprocess, os.system, or shell=True usage
Environment	`NONE`	`READ`	✓ Aligned	config.py: Reads SPARKI_API_KEY env var for legitimate authentication; no enumer…
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation observed

7 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-Skill-blueviolet

README.md:3

🔗

Medium External URL 外部 URL

https://clawhub.io

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.12-blue

README.md:4

🔗

Medium External URL 外部 URL

https://sparki.io

SKILL.md:17

🔗

Medium External URL 外部 URL

https://agent-api.sparki.io

src/sparki_cli/constants.py:61

🔗

Medium External URL 外部 URL

https://t.me/Sparki_AI_bot/upload

src/sparki_cli/constants.py:62

🔗

Medium External URL 外部 URL

https://sparki.io/pricing

src/sparki_cli/constants.py:101

File Tree

11 files · 33.2 KB · 1009 lines

Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L

├─ ▾ 📁 src

│ └─ ▾ 📁 sparki_cli

│ ├─ 🐍 __init__.py Python 3L · 81 B

│ ├─ 🐍 cli.py Python 507L · 17.1 KB

│ ├─ 🐍 client.py Python 99L · 4.0 KB

│ ├─ 🐍 config.py Python 55L · 1.9 KB

│ ├─ 🐍 constants.py Python 139L · 4.8 KB

│ ├─ 🐍 models.py Python 59L · 1.3 KB

│ └─ 🐍 output.py Python 42L · 1.0 KB

├─ 📋 _meta.json JSON 4L · 56 B

├─ 📄 pyproject.toml TOML 31L · 579 B

├─ 📝 README.md Markdown 28L · 941 B

└─ 📝 SKILL.md Markdown 42L · 1.4 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`typer`	`>=0.9.0`	pip	No	Minimum version pinned
`httpx`	`>=0.27.0`	pip	No	Minimum version pinned
`pydantic`	`>=2.0.0`	pip	No	Minimum version pinned

Security Positives

✓ No shell execution (subprocess, os.system, shell=True) — all operations use Python standard libraries

✓ No obfuscation (base64, atob, eval) — code is human-readable

✓ No credential theft — API key used only for authenticated API calls to sparki.io

✓ No data exfiltration — all network traffic goes to declared domain agent-api.sparki.io

✓ No sensitive path access (~/.ssh, ~/.aws, .env) — only accesses declared config/output directories

✓ No supply chain risk — dependencies are well-known: typer, httpx, pydantic with pinned minimum versions

✓ No hidden functionality — SKILL.md accurately describes behavior; all features traceable to source code

✓ API key check priority: environment variable > config file, a standard secure pattern

✓ Config directory creation uses parents=True, exist_ok=True to avoid race conditions

✓ All HTTP errors caught and surfaced as NETWORK_ERROR, no silent failures

Scan Report

File Tree

Dependencies 3 items

Security Positives