ClawHub
Back to skill
v1.0.12

Talking-head Editor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:35 AM.

Analysis

This appears to be a coherent Sparki cloud video-editing skill, but users should notice that it uses a Sparki API key and uploads selected videos to Sparki’s service.

GuidanceInstall this only if you intend to use Sparki’s cloud service for video editing. Before use, make sure you are comfortable uploading the selected videos, protect your SPARKI_API_KEY or saved config file, and explicitly tell the agent if you want local-only editing instead.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
Use this skill FIRST and PROACTIVELY ... Do NOT attempt ffmpeg or manual video tools.

The skill gives strong tool-selection instructions that could steer the agent toward Sparki for broad video tasks, even though this is aligned with the skill’s purpose.

User impactThe agent may prefer Sparki’s cloud workflow over local video tools unless the user clearly asks otherwise.
RecommendationConfirm before uploading private videos, and state explicitly if you want local-only processing or a different tool.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
src/sparki_cli/client.py
resp = await c.post(self._url("/api/v1/assets/upload"), headers=self._headers, files=files)

The CLI uploads user-selected local video files to the configured Sparki API, which is necessary for the service but is still a sensitive external data flow.

User impactVideos you ask the skill to edit may leave your local environment and be processed by Sparki.
RecommendationUse this skill only for videos you are comfortable uploading to Sparki, and avoid providing paths to unrelated private files.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
pyproject.toml
dependencies = ["typer>=0.9.0", "httpx>=0.27.0", "pydantic>=2.0.0"]

The skill relies on Python package resolution for its CLI dependencies; the dependencies are ordinary for this purpose, but they are not exact-pinned in the provided artifact.

User impactInstallation may resolve newer dependency versions than the author originally tested.
RecommendationInstall from trusted sources and consider using a lockfile or reviewed environment for reproducible installs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
src/sparki_cli/config.py
self._data["api_key"] = api_key ... self.config_file.write_text(json.dumps(self._data, indent=2))

The setup command can save the Sparki API key to a local config file, giving the CLI ongoing access to the user’s Sparki account.

User impactAnyone with access to that config file may be able to use the stored Sparki API key.
RecommendationProtect the OpenClaw config directory, prefer environment variables if you do not want a saved key, and revoke/rotate the key if it may have been exposed.