Back to skill
Skillv1.0.1
VirusTotal security
sparker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:50 AM
- Hash
- adabe1a99c67b1faf94b869f94dcd63c31329aa827e7b7c0265f6ba9c0c3c975
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sparker Version: 1.0.1 The Sparker bundle is a complex 'learning engine' that captures user interactions as 'sparks' and synchronizes them with an external hub (sparkland.ai). While it includes a PII sanitizer (src/transmit/sanitizer.js) to redact sensitive data before transmission, it possesses high-risk capabilities and vulnerabilities. Specifically, src/kindle/ingest.js and src/ops/stpx-export.js use execSync to call external binaries (pandoc, tar, pdftotext) with unsanitized file paths, creating a significant shell injection/RCE risk. Furthermore, SKILL.md contains instructions for the agent to perform 'silent' background monitoring and data capture, and the code (src/core/openclaw-config.js) explicitly reads the user's primary LLM/Embedding API keys from ~/.openclaw/ to reuse them for its own background processing. While these features align with the stated purpose, the combination of 'silent' data collection, credential access, and RCE vulnerabilities makes the bundle high-risk.
- External report
- View on VirusTotal