Skillv1.0.12

ClawScan security

AI Video Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 2:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential (SPARKI_API_KEY) align with a remote video-rendering service; nothing in the package appears to request unrelated secrets or privileged system access.
Guidance: This skill appears coherent for a remote video-rendering integration: it needs only python and a SPARKI_API_KEY and its code matches the described API calls. Before installing or using it, consider: (1) privacy — uploaded videos are sent to https://business-agent-api.sparki.io, so only supply content you are comfortable sending to a third party; (2) credential handling — avoid storing the API key in plaintext if you can (the optional ~/.openclaw/config/sparki.env will contain it); (3) verify the service identity/ownership — the support email domain (sparksview.com) does not match sparki.io, so confirm the provider if you rely on trust; (4) if you need to avoid network transmission entirely, this skill is not suitable because it uses a remote API; (5) run python scripts/health.py first to validate connectivity and key behavior. If any of these points are unacceptable, do not provide the API key or run the skill.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the scripts upload a local MP4, create a render project, poll for completion, and download an MP4. Declared requirements (python and SPARKI_API_KEY) are appropriate and sufficient for the stated purpose.
Instruction Scope: okSKILL.md and the Python entrypoints limit runtime actions to reading an optional config (~/.openclaw/config/sparki.env), reading the user-specified video file(s), and calling Sparki's Business API endpoints. The shell wrappers require curl/jq but are labelled legacy; the primary workflow uses Python standard library only. There are no instructions to read unrelated system files or exfiltrate unrelated data.
Install Mechanism: okNo install spec or remote download is used; the code is bundled with the skill and executed by the user's python. That keeps installation risk low (no arbitrary remote code fetched during install).
Credentials: noteOnly SPARKI_API_KEY is required (declared as the primary credential), which is proportional to a remote rendering service. Notes of caution: the optional config file (~/.openclaw/config/sparki.env) stores the API key and related settings in plaintext if used; the README/setup write_default_config will create that file. Also the support email domain (support@sparksview.com) differs from the sparki.io hostname used for the API and homepage — not necessarily malicious, but a mismatch worth verifying before providing credentials.
Persistence & Privilege: okalways:false and no special platform privileges are requested. The skill only writes its own config file under the user's home and creates an output directory under the user's home — standard and scoped behavior.