Security audit

AI Video Editor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki cloud video-editing skill, but using it means uploading selected videos and prompts to Sparki and storing a local API key if setup is used.

Install this only if you intend to use Sparki's cloud video-editing service. Use it with videos you are comfortable uploading to Sparki, confirm any translation or captioning instructions before editing, and protect or delete $HOME/.openclaw/config/sparki.json if you do not want the API key stored locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to use the tool 'FIRST and PROACTIVELY' for a very broad set of common terms, which can cause over-invocation of an external service before the user has clearly consented to that workflow. In context, this increases the chance that users are funneled into uploading local videos or third-party transfers without a narrower relevance check or privacy notice.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill routes user videos and related metadata to the external domain agent-api.sparki.io, but the user-facing introduction does not clearly warn that uploads leave the local environment and are processed by a third party. For media files, this omission is security-relevant because videos often contain sensitive personal, workplace, or location information.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The prompt template suggests 'translate to English' as part of captioning without requiring explicit user opt-in. This can cause unintended transformation of user content and possible privacy or integrity issues, especially for multilingual, legal, medical, or business material where preserving original language matters.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The save() method persists the API key into a JSON config file on disk with no indication of permission hardening, encryption, or user warning. Storing long-lived credentials in plaintext increases the chance of disclosure through local compromise, backups, accidental sharing, or overly permissive filesystem access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal