AI 视频剪辑器
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-video-editor-zh Version: 1.0.6 The skill bundle provides a legitimate interface for an AI video editing service (Sparki). It consists of Bash scripts that handle video file uploads, project creation, and status polling via the 'aicoding.live' API. The code demonstrates good security practices, such as using 'jq' for safe JSON construction and performing local validation on file types and sizes (e.g., in upload_asset.sh). There is no evidence of data exfiltration, malicious execution, or harmful prompt injection; the instructions in SKILL.md are strictly functional and aligned with the tool's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos you process with this skill are uploaded to the provider, and the returned temporary URL may provide access to the processed video.
This shows the selected MP4 file and API key are sent to a remote provider API. That is expected for the skill's cloud video-editing purpose, but it is still a sensitive data flow.
curl -sS -X POST "${SPARKI_API_BASE}/business/assets/upload" -H "X-API-Key: $SPARKI_API_KEY" -F "files=@${FILE_PATH};type=video/mp4"Only use this skill with videos you are comfortable uploading to the provider, and avoid sharing the returned download URL unless intended.
Anyone with access to the configured API key may be able to use the Sparki API under the user's account or quota.
The skill requires a provider API key and documents persistent ways to store it. This is expected for the integration, but the key may grant account/API access and should be protected.
openclaw config set env.SPARKI_API_KEY "sk_live_your_key_here" ... echo 'export SPARKI_API_KEY="sk_live_your_key_here"' >> ~/.bashrc ... echo 'SPARKI_API_KEY="sk_live_your_key_here"' >> ~/.openclaw/.env
Store the key only in trusted OpenClaw or shell configuration, avoid committing it to projects, and rotate it if it may have been exposed.
There is minor ambiguity about the exact package identity/version represented by the embedded metadata.
The embedded metadata differs from the supplied registry metadata, which lists a different owner ID, slug ai-video-editor-zh, and version 1.0.6. This is a provenance/versioning inconsistency, not evidence of harmful behavior in the reviewed scripts.
"ownerId": "kn7c51bhqse2svzjhbej3e3whh81tzrd", "slug": "ai-video-editor", "version": "1.0.5"
Install from the trusted ClawHub listing and verify the maintainer, version, and endpoint before using it with sensitive videos.