ClawHub
Back to skill

Security audit

TikTok 爆款剪辑

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki cloud video-editing skill, but users should know selected videos are uploaded to Sparki and the API key may be saved locally.

Install this if you want Sparki-based TikTok-style video editing. Do not use it for private or sensitive videos unless you are comfortable uploading them to Sparki, and prefer SPARKI_API_KEY as an environment variable if you do not want the key saved in the local config file. Ask explicitly for local/manual editing when you do not want cloud processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to use this skill 'FIRST and PROACTIVELY' for a very broad set of video-related terms can cause the agent to invoke a networked, file-writing skill without sufficiently confirming user intent. In context, this increases the chance of unnecessary data transmission to an external service and reduces user control over tool selection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill metadata shows it can write to local paths and send data to agent-api.sparki.io, but the user-facing description does not clearly warn that video files or related content may be transmitted to a third-party service and that local files may be created. This weakens informed consent and can lead to privacy or data-handling surprises, especially for sensitive media.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The save() method writes the API key directly into a JSON config file under the user's home directory with no indication here of file-permission hardening, encryption, or user warning. Persisting long-lived secrets in plaintext increases exposure to local compromise, backups, accidental sharing, and other software reading the config file.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal