video-resizer-zh 安全扫描报告 — 可信 | ClawSafe

5 /100

video-resizer-zh

面向比例转换和平台适配场景的 Sparki skill 变体，沿用最新版官方 Sparki 安装、API key、上传和命令说明，同时保留 resizer 场景定位

A clean, straightforward video-resizing CLI that strictly adheres to its declared permissions with no hidden functionality, credential harvesting, obfuscation, or network exfiltration.

技能名称video-resizer-zh

分析耗时40.9s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency versions 供应链 pyproject.toml declares dependencies with lower bounds only (typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0) with no upper bounds or exact pins. This allows a dependency to silently introduce breaking or malicious changes. `dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]` → Pin exact versions or use a tight version range (e.g., httpx>=0.27.0,<1.0.0) to reduce supply-chain risk.	`pyproject.toml:16`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	cli.py:182 — file reads via open() for upload only
文件系统	`WRITE`	`WRITE`	✓ 一致	config.py:48 — writes to ~/.openclaw/config/sparki.json; cli.py:277 — writes dow…
网络访问	`READ`	`READ`	✓ 一致	client.py — all HTTP requests go to agent-api.sparki.io only
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation found anywhere in codebase
环境变量	`NONE`	`READ`	✓ 一致	config.py:31 — reads SPARKI_API_KEY from os.environ; SKILL.md permissions.env is…
技能调用	`NONE`	`NONE`	—	No skill invocation or inter-process messaging
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

7 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-Skill-blueviolet

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.io

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.12-blue

README.md:4

🔗

中危外部 URL 外部 URL

https://sparki.io

SKILL.md:17

🔗

中危外部 URL 外部 URL

https://agent-api.sparki.io

src/sparki_cli/constants.py:61

🔗

中危外部 URL 外部 URL

https://t.me/Sparki_AI_bot/upload

src/sparki_cli/constants.py:62

🔗

中危外部 URL 外部 URL

https://sparki.io/pricing

src/sparki_cli/constants.py:101

目录结构

11 文件 · 33.2 KB · 1009 行

Python 7f · 904L Markdown 2f · 70L TOML 1f · 31L JSON 1f · 4L

├─ ▾ 📁 src

│ └─ ▾ 📁 sparki_cli

│ ├─ 🐍 __init__.py Python 3L · 81 B

│ ├─ 🐍 cli.py Python 507L · 17.1 KB

│ ├─ 🐍 client.py Python 99L · 4.0 KB

│ ├─ 🐍 config.py Python 55L · 1.9 KB

│ ├─ 🐍 constants.py Python 139L · 4.8 KB

│ ├─ 🐍 models.py Python 59L · 1.3 KB

│ └─ 🐍 output.py Python 42L · 1.0 KB

├─ 📋 _meta.json JSON 4L · 56 B

├─ 📄 pyproject.toml TOML 31L · 579 B

├─ 📝 README.md Markdown 28L · 933 B

└─ 📝 SKILL.md Markdown 42L · 1.4 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`typer`	`>=0.9.0`	pyproject.toml	否	Version not pinned — use upper bound
`httpx`	`>=0.27.0`	pyproject.toml	否	Version not pinned — use upper bound
`pydantic`	`>=2.0.0`	pyproject.toml	否	Version not pinned — use upper bound

安全亮点

✓ No shell execution (subprocess, os.system, popen) anywhere in the codebase

✓ No obfuscation: no base64, atob, eval, or encoded payloads

✓ No credential theft: API key is used only for authenticated API calls to declared endpoint

✓ No data exfiltration: all network traffic is limited to agent-api.sparki.io

✓ No hidden functionality: SKILL.md documentation accurately describes the tool's behavior

✓ No sensitive file access: no access to ~/.ssh, ~/.aws, .env, or credential stores

✓ File operations scoped strictly to declared paths (~/.openclaw/config, ~/.openclaw/workspace)

✓ No reverse shell, C2, or persistence mechanisms (no cron, startup hooks, or backdoors)

✓ Clean imports with no suspicious third-party packages