中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:19 hr ago Rescan
5 /100
video-resizer-zh
面向比例转换和平台适配场景的 Sparki skill 变体,沿用最新版官方 Sparki 安装、API key、上传和命令说明,同时保留 resizer 场景定位
A clean, straightforward video-resizing CLI that strictly adheres to its declared permissions with no hidden functionality, credential harvesting, obfuscation, or network exfiltration.
Skill Namevideo-resizer-zh
Duration40.9s
Enginepi
Safe to install
No action needed. The skill is safe to use.

Findings 1 items

Severity Finding Location
Low
Unpinned dependency versions Supply Chain
pyproject.toml declares dependencies with lower bounds only (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0) with no upper bounds or exact pins. This allows a dependency to silently introduce breaking or malicious changes.
dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]
→ Pin exact versions or use a tight version range (e.g., httpx>=0.27.0,<1.0.0) to reduce supply-chain risk.
 pyproject.toml:16
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned cli.py:182 — file reads via open() for upload only
Filesystem WRITE WRITE ✓ Aligned config.py:48 — writes to ~/.openclaw/config/sparki.json; cli.py:277 — writes dow…
Network READ READ ✓ Aligned client.py — all HTTP requests go to agent-api.sparki.io only
Shell NONE NONE No subprocess, os.system, or shell invocation found anywhere in codebase
Environment NONE READ ✓ Aligned config.py:31 — reads SPARKI_API_KEY from os.environ; SKILL.md permissions.env is…
Skill Invoke NONE NONE No skill invocation or inter-process messaging
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
7 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet
README.md:3
🔗
Medium External URL 外部 URL
https://clawhub.io
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.12-blue
README.md:4
🔗
Medium External URL 外部 URL
https://sparki.io
SKILL.md:17
🔗
Medium External URL 外部 URL
https://agent-api.sparki.io
src/sparki_cli/constants.py:61
🔗
Medium External URL 外部 URL
https://t.me/Sparki_AI_bot/upload
src/sparki_cli/constants.py:62
🔗
Medium External URL 外部 URL
https://sparki.io/pricing
src/sparki_cli/constants.py:101

File Tree

11 files · 33.2 KB · 1009 lines
Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L
├─ 📁 src
│ └─ 📁 sparki_cli
│ ├─ 🐍 __init__.py Python 3L · 81 B
│ ├─ 🐍 cli.py Python 507L · 17.1 KB
│ ├─ 🐍 client.py Python 99L · 4.0 KB
│ ├─ 🐍 config.py Python 55L · 1.9 KB
│ ├─ 🐍 constants.py Python 139L · 4.8 KB
│ ├─ 🐍 models.py Python 59L · 1.3 KB
│ └─ 🐍 output.py Python 42L · 1.0 KB
├─ 📋 _meta.json JSON 4L · 56 B
├─ 📄 pyproject.toml TOML 31L · 579 B
├─ 📝 README.md Markdown 28L · 933 B
└─ 📝 SKILL.md Markdown 42L · 1.4 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
typer >=0.9.0 pyproject.toml No Version not pinned — use upper bound
httpx >=0.27.0 pyproject.toml No Version not pinned — use upper bound
pydantic >=2.0.0 pyproject.toml No Version not pinned — use upper bound

Security Positives

✓ No shell execution (subprocess, os.system, popen) anywhere in the codebase
✓ No obfuscation: no base64, atob, eval, or encoded payloads
✓ No credential theft: API key is used only for authenticated API calls to declared endpoint
✓ No data exfiltration: all network traffic is limited to agent-api.sparki.io
✓ No hidden functionality: SKILL.md documentation accurately describes the tool's behavior
✓ No sensitive file access: no access to ~/.ssh, ~/.aws, .env, or credential stores
✓ File operations scoped strictly to declared paths (~/.openclaw/config, ~/.openclaw/workspace)
✓ No reverse shell, C2, or persistence mechanisms (no cron, startup hooks, or backdoors)
✓ Clean imports with no suspicious third-party packages