ClawHub

AI Vlog 剪辑器

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki video-editing skill, but users should understand that selected videos are uploaded to Sparki and the API key may be stored locally.

Install this only if you are comfortable sending chosen video files to Sparki for processing. Use an environment variable instead of saved setup on shared systems when possible, protect the OpenClaw config directory, and explicitly ask for local-only editing if you do not want the agent to route video work through Sparki.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README indicates the skill inherits official upload behavior for user video material, but it does not warn users that their media may be uploaded to external services or explain how that data is handled. For a Vlog editor, users may submit highly sensitive personal footage, so missing disclosure can lead to privacy harm, uninformed consent, and accidental exposure of personal data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to use the skill 'FIRST and PROACTIVELY' for a very broad set of common video-related terms can cause the agent to invoke this skill in situations where it may not be necessary or where a safer/local tool would suffice. That increases the chance of unnecessary data routing to an external service and can override user intent or least-privilege tool selection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The save() method persists the API key into a JSON config file under the user's home directory without any evident permission hardening, encryption, or user-facing disclosure in this code path. Storing long-lived secrets on disk increases the risk of credential exposure through local compromise, backups, misconfigured file permissions, or accidental sharing of the config directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal