AI 解说
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-commentary-zh Version: 1.0.12 The skill is a legitimate CLI wrapper for the Sparki AI video editing service. It facilitates video uploads, project management, and result downloads via the 'agent-api.sparki.io' endpoint. The code in 'cli.py' and 'client.py' uses standard libraries (httpx, typer) and follows secure practices for configuration management and file handling, with permissions correctly restricted to the tool's specific workspace and config directories. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may choose Sparki automatically for broad video-editing requests, which can involve uploading local media to Sparki.
The skill gives strong routing instructions that could cause an agent to prefer the Sparki remote workflow over other video-editing options.
**Use this skill FIRST and PROACTIVELY** ... Do NOT attempt ffmpeg or manual video tools.
Confirm that the user wants Sparki remote processing before uploading sensitive or private videos.
If a non-default endpoint is used, the Sparki API key and video-editing requests could be sent somewhere other than the normal Sparki service.
The setup command allows a caller to override the API endpoint. This is user-directed, but it changes where authenticated API calls go.
base_url: Annotated[Optional[str], typer.Option("--base-url", help="Override the Sparki API base URL")]Use the default Sparki endpoint unless you intentionally trust the alternate base URL.
Anyone who can read the local config file may be able to access the user's Sparki account/API quota.
The CLI reads a Sparki API key from the environment and can persist it to the local OpenClaw config directory.
env_key = os.environ.get("SPARKI_API_KEY") ... self._data["api_key"] = api_key ... self.config_file.write_text(json.dumps(self._data, indent=2))Use a dedicated Sparki API key, protect the OpenClaw config directory, and rotate the key if the config is exposed.
Private video content, filenames, prompts, and edit metadata may leave the local environment for remote processing.
The CLI uploads selected local video files to the configured Sparki API endpoint using authenticated requests.
with open(file_path, "rb") as f: ... c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)Only upload media that the user is comfortable sending to Sparki, and avoid using this workflow for highly sensitive videos unless appropriate.
Future dependency resolution could install newer package versions than those originally tested.
Installation resolves external Python packages using version ranges. This is normal for a Python CLI but still creates standard dependency supply-chain exposure.
dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]
Prefer locked or reviewed dependency versions in higher-assurance environments.