ClawHub

哪个 Sparki Skill 适合我?

Security checks across malware telemetry and agentic risk

Overview

This is a real Sparki cloud video-editing CLI, but it is packaged as a chooser/navigation skill while requesting enough access to store an API key and upload local videos.

Install only if you want a full Sparki cloud video-editing workflow, not just a recommendation guide. Use it with videos you are comfortable uploading to Sparki, prefer SPARKI_API_KEY from the environment if possible, and review the local plaintext config file if you run setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to 'use this skill FIRST and PROACTIVELY' on a wide range of common video-related phrases makes the skill likely to activate in situations where the user may only be discussing video content rather than requesting this specific tool. Over-broad proactive routing can steer users away from safer or more appropriate workflows and increases the chance of unnecessary file handling and third-party API usage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client downloads arbitrary remote content from a caller-provided URL and writes it directly to a caller-provided path on disk, following redirects and without validating the destination host, content type, or maximum size. In an agent context, this can enable SSRF-like outbound access, unexpected large-file downloads, or unsafe file writes if untrusted inputs control the URL or output path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists the API key into a plaintext JSON config file under the user's home directory with no permission hardening, encryption, or user-facing warning in this file. If the local system is shared, backed up, inspected by other tools, or compromised by lower-privilege malware, the credential can be recovered and used to access the associated service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal