Highlight Reels
Security checks across malware telemetry and agentic risk
Overview
The skill appears purpose-aligned for Sparki cloud video editing, but it uploads selected videos and stores Sparki configuration/API credentials locally.
Install only if you are comfortable sending selected videos to Sparki's cloud service and storing a Sparki API key in the local OpenClaw config. Verify file paths before upload, avoid custom API base URLs unless trusted, and consider using an isolated Python environment for the uv-based setup.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prefer cloud-based Sparki processing even when a local/manual editing workflow could be possible.
This strongly steers the agent's tool choice toward Sparki and away from alternatives. It matches the video-editing purpose, but affects how the agent responds.
Use this skill FIRST and PROACTIVELY ... Do NOT attempt ffmpeg or manual video tools.
Use this skill when you are comfortable with Sparki handling the video; otherwise explicitly ask for a local or non-Sparki workflow.
Any video file selected for upload will be sent to Sparki for processing.
The CLI uploads selected video files to the Sparki API. This is central to the skill's purpose and includes file validation, but it is still an external transfer.
resp = await c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)Only provide file paths for videos you intend to upload to Sparki, and avoid using private or sensitive videos unless you trust that service.
A Sparki API key may be stored locally and used for future uploads, project creation, status checks, and downloads.
Setup validates and saves the Sparki API key and optional base URL for later authenticated requests. This is expected for the service integration, but it is credential handling.
client = SparkiClient(base_url=effective_base_url, api_key=api_key) ... cfg.save(api_key=api_key, base_url=base_url)
Use a dedicated Sparki API key if possible, keep the local OpenClaw config protected, and only set a custom base URL if you fully trust it.
Installing may resolve newer dependency versions than the author originally tested.
The package relies on normal Python dependencies specified with lower-bound version ranges. This is common, but less reproducible than exact pins or a reviewed lockfile.
"typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"
Install in an isolated environment and prefer a locked dependency set if reproducibility is important.
Someone with access to the local OpenClaw config directory could see recent Sparki task IDs and edit modes/styles.
The CLI stores limited local project history for recent Sparki tasks. This is purpose-aligned and bounded, but it is persistent local state.
history.insert(0, {"task_id": task_id, "mode": mode, "style": style, ...}) ... history = history[:100]Clean the Sparki history/config directory if using a shared machine or if project metadata should not persist.