高光集锦
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Sparki cloud video-editing skill, with expected but important risks around API-key handling and uploading selected videos to an external service.
Install this if you trust the Sparki service and publisher, and only use it for videos you are comfortable uploading for cloud processing. Protect or avoid saving the API key on shared machines, keep the default Sparki API endpoint unless you intentionally trust another one, and clear local history/config files if needed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may choose Sparki quickly for video work, potentially involving uploads or account quota.
The skill strongly steers the agent toward Sparki for a broad set of video-related requests. This fits the purpose, but it could cause the agent to prefer cloud processing even when a user might want a local/offline tool.
Use this skill FIRST and PROACTIVELY ... Do NOT attempt ffmpeg or manual video tools.
Confirm before uploading private videos or using paid/quota-consuming cloud processing, especially if the user asks for local-only handling.
Anyone with access to that local config file may be able to use the Sparki account/API key.
The Sparki API key is saved to a local OpenClaw config file. This is expected for an authenticated Sparki CLI, but it is still a credential stored on disk.
DEFAULT_CONFIG_DIR = Path.home() / ".openclaw" / "config" ... self._data["api_key"] = api_key ... self.config_file.write_text(json.dumps(self._data, indent=2))
Use this only on trusted machines, protect the OpenClaw config directory, and revoke or rotate the API key if the machine or config file may be exposed.
If an untrusted base URL is used, the API key and later video-processing requests could be sent to that endpoint.
The setup command can validate and use the API key against a user-specified base URL. This is not the default path, but it broadens where credentials could be sent if configured.
base_url: ... typer.Option("--base-url", help="Override the Sparki API base URL") ... client = SparkiClient(base_url=effective_base_url, api_key=api_key)Do not use --base-url unless the endpoint is trusted and intended; keep the default Sparki domain for normal use.
Private or sensitive video content may be transmitted to Sparki for processing.
The CLI uploads selected local video files to the configured Sparki API. This is central to the cloud video-editing purpose, but it means user media leaves the local environment.
resp = await c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)Only upload videos you are comfortable processing through Sparki, and verify the configured API endpoint before use.
Future installs could resolve to newer dependency versions than the author originally tested.
The skill depends on common Python packages, but the dependency versions are ranges rather than exact pins. This is typical for small CLIs, but it leaves dependency resolution to install time.
dependencies = [
"typer>=0.9.0",
"httpx>=0.27.0",
"pydantic>=2.0.0",
]Install from a trusted environment and consider using a lockfile or reviewed dependency set if reproducibility is important.
Local history may reveal recent video-editing tasks or task identifiers.
The CLI stores recent Sparki task IDs and edit metadata locally for history lookups. This is useful and purpose-aligned, but it creates persistent local records of activity.
history.insert(0, {"task_id": task_id, "mode": mode, "style": style, ...}); history = history[:100] ... hf.write_text(json.dumps(history, indent=2))Clear the Sparki history/config files if shared machines or local privacy are a concern.