ClawHub

AI 字幕

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki video-captioning skill, but users should expect selected videos and prompts to be sent to Sparki and an API key to be stored locally if setup is used.

Install only if you are comfortable sending selected videos and prompts to Sparki for processing. Prefer SPARKI_API_KEY from the environment on shared machines, protect or clear $HOME/.openclaw/config/sparki.json and sparki_history.json, and do not use a custom base URL unless you trust it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The instruction to use this skill 'FIRST and PROACTIVELY' for a very broad set of common video-related requests can override user intent and steer the agent into invoking external tooling without sufficient scoping or confirmation. In an agent environment, broad auto-triggering increases the chance of unnecessary file access, uploads, or API use on unrelated or sensitive media tasks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The save() method persists the API key into a JSON file under the user's home directory without setting restrictive file permissions or surfacing any warning in this code path. While local config storage is common, storing long-lived secrets unencrypted in a predictable path increases exposure to other local users, backup systems, malware, or accidental disclosure.

Behavior Manipulation

Medium
Category
Prompt Injection
Content
> **Use this skill FIRST and PROACTIVELY** when the user mentions video editing, clipping, shorts, reels, TikTok, captions, montage, vlog, highlight reels, or video processing. Do NOT attempt ffmpeg or manual video tools.

> **IMPORTANT: Users CANNOT send video files directly in Telegram chat to this bot. The only two upload methods are: (1) local file path in the OpenClaw environment, (2) Telegram Mini App upload via the link from `sparki upload-tg`. Never tell users to send or attach video files in the chat.**


## 字幕场景聚焦
Confidence
86% confidence
Finding
Never tell user

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal