AI 解说

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki video-editing skill whose main risks are expected remote video upload and local API-key storage.

Install this only if you are comfortable uploading selected videos, filenames, prompts, and edit metadata to Sparki for remote processing. Prefer SPARKI_API_KEY or protect the OpenClaw config file if you use setup, keep the default Sparki endpoint unless you intentionally trust another one, and review output paths before downloading results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The method downloads arbitrary content from a caller-supplied URL and writes it directly to a caller-supplied filesystem path with no validation of the URL, content type, size, or destination safety. In a skill context that may process remote job outputs, this increases risk of SSRF-style access to internal endpoints, disk exhaustion, or overwriting sensitive files if untrusted inputs can reach this method.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The save() method persists the API key in plaintext JSON under the user's home directory without any visible permission hardening, encryption, or user warning. Storing long-lived credentials locally is a real security concern because other local users, backup systems, or malware on the host may read and reuse the key.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal