Long to Short

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Sparki video-editing helper that uploads user-selected videos to Sparki and saves local configuration, with no evidence of hidden or malicious behavior.

Install this if you are comfortable sending selected video files and prompts to Sparki for processing. Prefer using SPARKI_API_KEY from the environment or protect ~/.openclaw/config/sparki.json, and only use the default Sparki API base URL unless you explicitly trust an alternative endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The instruction to use this skill 'FIRST and PROACTIVELY' for a very broad set of common video-related terms can cause the agent to invoke the skill in situations where it may not be appropriate. That can steer users into a vendor-specific workflow and suppress safer or more suitable alternatives, increasing the chance of unintended data handling or user confusion.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The save() method persists the API key into a plaintext JSON file under the user's home directory with no permission hardening, encryption, or user-facing warning. This increases the risk of credential disclosure through local compromise, backups, shared accounts, or accidental file exposure, though it is not by itself evidence of exfiltration or malicious behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal