Video Clip
ReviewAudited by ClawScan on May 10, 2026.
Overview
The local video-trimming script is straightforward, but the instructions also add an under-declared AI-edit workflow that can upload videos externally and may expose an API key.
The included clip.sh appears safe for local, user-directed trimming with ffmpeg. Before using the AI Edit instructions, verify the external API host, avoid printing or logging SPARKI_API_KEY, and only upload videos after explicit consent and understanding where the file will be processed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Sparki API key could be accidentally revealed to the agent session or logs.
This command is described as a way to check whether the key is configured, but when SPARKI_API_KEY is set it prints the actual key after the word 'configured', exposing the credential to terminal output, transcripts, or logs.
echo "Key: ${SPARKI_API_KEY:+configured}${SPARKI_API_KEY:-MISSING}"Do not run this key-check command as written. Replace it with a check that only prints 'configured' or 'missing', and declare the API key requirement if the AI Edit workflow remains in the skill.
If the agent follows the AI Edit path, private video content may leave the device and be processed by an external service.
The AI Edit path uploads the selected local video to an external API using an API key, even though the registry metadata declares no credentials and the main skill is framed as local/no-key clipping.
SPARKI_API_BASE="https://agent-api-test.aicoding.live/api/v1" ... curl -sS -X POST "${SPARKI_API_BASE}/business/assets/upload" -H "X-API-Key: $SPARKI_API_KEY" -F "file=@${FILE_PATH}"Require explicit user confirmation before any upload, clearly document the destination, credential requirement, retention/download behavior, and why the non-sparki.io API host is trusted.
A custom output path could overwrite an existing file if the agent or user selects one.
The local clipping tool uses ffmpeg with -y, which overwrites the chosen output file without prompting. This is purpose-aligned for video clipping, but users should choose output paths carefully.
ffmpeg -y -loglevel error -stats ... "$OUTPUT"
Use the default '_clip' output name or confirm before writing to an existing custom output path.