AI Caption
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-caption Version: 1.0.12 The ai-caption skill is a legitimate CLI wrapper for the Sparki AI video editing platform. It provides functionality to upload video files, initiate captioning/editing tasks, and download processed results from agent-api.sparki.io. The code follows standard practices using Typer and HTTPX, with permissions in SKILL.md correctly scoped to its configuration and workspace directories. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may choose Sparki instead of local/manual tools when video editing is discussed.
This instruction steers the user's agent toward Sparki for broad video-editing mentions and discourages alternative local tools. It is aligned with the skill's purpose, but users should notice the strong routing preference.
Use this skill FIRST and PROACTIVELY ... Do NOT attempt ffmpeg or manual video tools.
Use this skill when you want Sparki-based editing; if you prefer local tools such as ffmpeg, tell the agent explicitly.
If directed to use an unsafe output path, the CLI could write video output somewhere unintended.
The download command can write the completed video either to the default OpenClaw output directory or to a caller-provided path. This is normal for a download tool, but it is local file-write authority.
def download(... output: Optional[Path] ...); out_path = output or cfg.default_output_dir / f"{task_id}.mp4"Prefer the default output directory or provide an explicit safe path for downloads.
A Sparki API key grants account access to the provider service and may be stored locally for reuse.
The setup flow validates and saves a Sparki API key, and it also supports a custom API base URL. This is disclosed CLI functionality, but the API key should only be sent to trusted Sparki endpoints.
base_url: ... Option("--base-url", help="Override the Sparki API base URL") ... client = SparkiClient(base_url=effective_base_url, api_key=api_key) ... cfg.save(api_key=api_key, base_url=base_url)Use the default Sparki endpoint unless you intentionally trust another endpoint, and protect or rotate the API key if exposed.
A later install could use newer dependency versions than those originally tested.
The package depends on common Python libraries with lower-bound version ranges, so future installs may resolve newer versions. This is common, but less deterministic than pinned dependencies or a lockfile.
dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]
For stricter supply-chain control, install with a reviewed lockfile or pinned dependency set.
Selected videos leave the local environment and are processed by Sparki.
The CLI uploads user-selected video files to the Sparki API using the configured API key. This is central to the stated video-editing purpose, but video files can contain sensitive personal or business content.
with open(file_path, "rb") as f: ... resp = await c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)Upload only videos you intend to share with Sparki and review Sparki's privacy/retention terms if the content is sensitive.