不露脸视频
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: faceless-video-zh Version: 1.0.12 The skill is a legitimate CLI wrapper for the Sparki AI video editing service, facilitating video uploads, automated editing, and downloads via the 'agent-api.sparki.io' endpoint. The code in 'src/sparki_cli/cli.py' and 'src/sparki_cli/client.py' follows standard API integration patterns using 'httpx' and 'typer', with no evidence of malicious execution, data exfiltration, or obfuscation. The instructions in 'SKILL.md' are functional directives intended to guide the AI agent's tool selection for video processing tasks rather than subverting its safety constraints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prefer a cloud Sparki workflow over local video tools.
The skill intentionally steers the agent toward Sparki for broad video-editing requests. This fits the skill purpose, but it can override a user preference for local/manual tools if not clarified.
Use this skill FIRST and PROACTIVELY ... Do NOT attempt ffmpeg or manual video tools.
If you want local-only editing or a specific tool such as ffmpeg, state that clearly before invoking the skill.
Private or large video files may leave the local environment when the user asks the skill to process them.
The CLI uploads user-selected local video files to the Sparki API. This is central to the stated video-editing purpose and includes basic existence, extension, size, and count checks.
with open(file_path, "rb") as f: ... resp = await c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)Only provide video paths you intend to upload to Sparki, and avoid using the skill for confidential media unless you trust the service.
Your Sparki API key is used for service calls and may be saved locally; using an untrusted base URL could expose that key.
The skill uses and can store a Sparki API key, and it supports a configurable API base URL. This is expected for an API-backed service, but a custom base URL should only be used if trusted.
base_url: ... help="Override the Sparki API base URL" ... client = SparkiClient(base_url=effective_base_url, api_key=api_key) ... cfg.save(api_key=api_key, base_url=base_url)
Use the default Sparki endpoint unless you have a trusted reason to override it, and protect or periodically rotate your API key.
Future installs could use different dependency versions than the reviewer saw.
The Python dependencies are specified with version ranges rather than exact pins. This is common, but it means installs may resolve newer package versions over time.
dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]
Prefer a lockfile or pinned dependency versions for repeatable installation, especially in production environments.