ClawHub

Which Sparki Skill Should I Use?

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki cloud video-editing helper, with normal cautions around uploading videos and storing a service API key locally.

Install this if you are comfortable using Sparki as a cloud video-editing service. Only provide videos you intend to upload to Sparki, avoid sensitive footage unless you trust the service, protect or revoke the stored API key if needed, and use explicit output paths only where you want edited videos saved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill instructs the agent to use it "FIRST and PROACTIVELY" for a broad set of common video-related terms. This can cause over-invocation, routing users into a remote-upload workflow before confirming necessity, user intent, or privacy expectations, increasing the chance of unnecessary data exposure and tool misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description markets video editing features but does not clearly disclose that user video files and related metadata are uploaded to an external service. Users may provide sensitive footage without understanding that it leaves the local environment, which creates privacy and consent risks.

Missing User Warnings

Low
Confidence
84% confidence
Finding
download_result fetches arbitrary remote content from a caller-supplied URL and writes it directly to a caller-supplied local path, following redirects, with no scheme/host allowlist, size limit, or destination-path safety checks. In a skill that handles remote media-processing results, this increases risk of SSRF-like access to internal endpoints, unexpected downloads from attacker-controlled URLs, disk exhaustion, or overwriting sensitive local files if upstream inputs are attacker influenced.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `save()` method persists the API key in plaintext JSON under the user's home directory without any visible controls for file permissions, encryption, or user warning. If the local system is shared, backed up insecurely, or the config directory has permissive permissions, the credential could be recovered and abused to access the user's Sparki account or API quota.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal