Scan Report
5 /100
highlight-reels
OpenClaw skill for Sparki AI video editing — extract highlights, create reels, clips, and shorts from video footage
This is a legitimate OpenClaw skill for AI-powered video highlight extraction and editing. The entire codebase is a straightforward CLI tool that uploads videos, creates editing projects via the Sparki API, polls for completion, and downloads results. No malicious behavior, obfuscation, credential theft, or hidden functionality was found.
Safe to install
Approve for use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ($CWD), WRITE($HOME/.openclaw/config, $HOME/.openclaw/workspace/sparki/videos) | READ($CWD), WRITE($HOME/.openclaw/config, $HOME/.openclaw/workspace/sparki/videos, $HOME/.openclaw/sparki_history.json) | ✓ Aligned | config.py:14, cli.py:79-80 — all file writes are scoped to declared paths |
| Network | READ agent-api.sparki.io | READ agent-api.sparki.io, WRITE download result URLs (redirect targets) | ✓ Aligned | client.py:79, constants.py:61 — API calls target agent-api.sparki.io; download f… |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution found. asyncio.run() used only for … |
| Environment | NONE | READ SPARKI_API_KEY, SPARKI_UPLOAD_TG_LINK (standard config env vars) | ✓ Aligned | config.py:27-28 — reads SPARKI_API_KEY from env if set; this is a standard CLI p… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation detected |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
7 findings
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet README.md:3 Medium External URL 外部 URL
https://clawhub.io README.md:3 Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.12-blue README.md:4 Medium External URL 外部 URL
https://sparki.io SKILL.md:17 Medium External URL 外部 URL
https://agent-api.sparki.io src/sparki_cli/constants.py:61 Medium External URL 外部 URL
https://t.me/Sparki_AI_bot/upload src/sparki_cli/constants.py:62 Medium External URL 外部 URL
https://sparki.io/pricing src/sparki_cli/constants.py:101 File Tree
11 files · 33.3 KB · 1010 lines Python 7f · 904L
Markdown 2f · 71L
TOML 1f · 31L
JSON 1f · 4L
├─
▾
src
│ └─
▾
sparki_cli
│ ├─
__init__.py
Python
│ ├─
cli.py
Python
│ ├─
client.py
Python
│ ├─
config.py
Python
│ ├─
constants.py
Python
│ ├─
models.py
Python
│ └─
output.py
Python
├─
_meta.json
JSON
├─
pyproject.toml
TOML
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
typer | >=0.9.0 | pip | No | Lower-bound pin only; no CVE history |
httpx | >=0.27.0 | pip | No | Lower-bound pin only; no CVE history |
pydantic | >=2.0.0 | pip | No | Lower-bound pin only; no CVE history |
Security Positives
✓ No obfuscation: No base64, eval(), or encoded strings found anywhere in the codebase
✓ No credential theft: API key is stored locally in sparki.json and read from SPARKI_API_KEY env var — no exfiltration of other credentials
✓ No shell execution: No subprocess, os.system, or shell commands; asyncio.run() used only for httpx async operations
✓ No sensitive path access: No reads of ~/.ssh, ~/.aws, .env, or similar credential-adjacent paths
✓ No remote code execution: No curl|bash, pip install from URLs, or any remote script execution
✓ No hidden instructions: No HTML comments, encoded payloads, or LLM prompt injection detected
✓ Clear documentation: SKILL.md accurately describes the highlight reel and video editing workflow
✓ Pinned dependencies: typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0 — major security-relevant packages use lower-bound pinning (minor issue, not high-risk)