扫描报告
5 /100
highlight-reels
OpenClaw skill for Sparki AI video editing — extract highlights, create reels, clips, and shorts from video footage
This is a legitimate OpenClaw skill for AI-powered video highlight extraction and editing. The entire codebase is a straightforward CLI tool that uploads videos, creates editing projects via the Sparki API, polls for completion, and downloads results. No malicious behavior, obfuscation, credential theft, or hidden functionality was found.
可以安装
Approve for use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ($CWD), WRITE($HOME/.openclaw/config, $HOME/.openclaw/workspace/sparki/videos) | READ($CWD), WRITE($HOME/.openclaw/config, $HOME/.openclaw/workspace/sparki/videos, $HOME/.openclaw/sparki_history.json) | ✓ 一致 | config.py:14, cli.py:79-80 — all file writes are scoped to declared paths |
| 网络访问 | READ agent-api.sparki.io | READ agent-api.sparki.io, WRITE download result URLs (redirect targets) | ✓ 一致 | client.py:79, constants.py:61 — API calls target agent-api.sparki.io; download f… |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell execution found. asyncio.run() used only for … |
| 环境变量 | NONE | READ SPARKI_API_KEY, SPARKI_UPLOAD_TG_LINK (standard config env vars) | ✓ 一致 | config.py:27-28 — reads SPARKI_API_KEY from env if set; this is a standard CLI p… |
| 技能调用 | NONE | NONE | — | No cross-skill invocation detected |
| 剪贴板 | NONE | NONE | — | No clipboard access found |
| 浏览器 | NONE | NONE | — | No browser automation found |
| 数据库 | NONE | NONE | — | No database access found |
7 项发现
中危 外部 URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blueviolet README.md:3 中危 外部 URL 外部 URL
https://clawhub.io README.md:3 中危 外部 URL 外部 URL
https://img.shields.io/badge/version-1.0.12-blue README.md:4 中危 外部 URL 外部 URL
https://sparki.io SKILL.md:17 中危 外部 URL 外部 URL
https://agent-api.sparki.io src/sparki_cli/constants.py:61 中危 外部 URL 外部 URL
https://t.me/Sparki_AI_bot/upload src/sparki_cli/constants.py:62 中危 外部 URL 外部 URL
https://sparki.io/pricing src/sparki_cli/constants.py:101 目录结构
11 文件 · 33.3 KB · 1010 行 Python 7f · 904L
Markdown 2f · 71L
TOML 1f · 31L
JSON 1f · 4L
├─
▾
src
│ └─
▾
sparki_cli
│ ├─
__init__.py
Python
│ ├─
cli.py
Python
│ ├─
client.py
Python
│ ├─
config.py
Python
│ ├─
constants.py
Python
│ ├─
models.py
Python
│ └─
output.py
Python
├─
_meta.json
JSON
├─
pyproject.toml
TOML
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 3 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
typer | >=0.9.0 | pip | 否 | Lower-bound pin only; no CVE history |
httpx | >=0.27.0 | pip | 否 | Lower-bound pin only; no CVE history |
pydantic | >=2.0.0 | pip | 否 | Lower-bound pin only; no CVE history |
安全亮点
✓ No obfuscation: No base64, eval(), or encoded strings found anywhere in the codebase
✓ No credential theft: API key is stored locally in sparki.json and read from SPARKI_API_KEY env var — no exfiltration of other credentials
✓ No shell execution: No subprocess, os.system, or shell commands; asyncio.run() used only for httpx async operations
✓ No sensitive path access: No reads of ~/.ssh, ~/.aws, .env, or similar credential-adjacent paths
✓ No remote code execution: No curl|bash, pip install from URLs, or any remote script execution
✓ No hidden instructions: No HTML comments, encoded payloads, or LLM prompt injection detected
✓ Clear documentation: SKILL.md accurately describes the highlight reel and video editing workflow
✓ Pinned dependencies: typer>=0.9.0, httpx>=0.27.0, pydantic>=2.0.0 — major security-relevant packages use lower-bound pinning (minor issue, not high-risk)