ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Resize

v1.0.0

Use when the user wants to change a video's aspect ratio or reformat it for a specific platform — e.g. "convert to vertical", "make it 9:16", "crop for TikTo...

1· 379·1 current·1 all-time
byBoShen@symbolk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (local video reformatting) matches the included scripts (scripts/resize.sh uses only ffmpeg). However the SKILL.md also documents an optional 'AI Edit' feature that uploads files to a remote service and requires SPARKI_API_KEY — this remote capability is not reflected in the top-level requirements (no env vars listed) and thus is an unexplained extension of the skill.
!
Instruction Scope
Runtime instructions for the primary tool are local (center-crop via ffmpeg). But the SKILL.md contains full example code that will upload user video files to a remote API, poll for processing, and return a download URL. That behavior will transmit user video content off-host and is only described as an optional escalation, but it is explicit and actionable in the skill's instructions.
Install Mechanism
No install spec; the skill is instruction-only with a small shell script. Nothing in the manifest downloads or executes remote installers.
!
Credentials
The skill metadata declares no required env vars, but SKILL.md clearly requires SPARKI_API_KEY for the AI Edit flow and shows commands to store it (openclaw config set). The API base used in the examples (agent-api-test.aicoding.live) does not match the listed homepage (sparki.io), which is an unexplained mismatch and increases risk when providing credentials.
Persistence & Privilege
always is false and there is no indication the skill requests persistent privileges or modifies other skills' configs. The only persistent action referenced is storing SPARKI_API_KEY via openclaw config if the user opts into AI Edit — that is normal for an optional remote integration.
What to consider before installing
This skill's local resizer (scripts/resize.sh) is straightforward and runs entirely on your machine with ffmpeg. However, the SKILL.md also includes an optional 'AI Edit' workflow that will upload videos to a third-party service and requires you to configure SPARKI_API_KEY. Before installing/using: (1) treat uploads as sensitive — do not use the AI flow for confidential videos; (2) verify the API hostname and provider (the example uses agent-api-test.aicoding.live while the homepage is sparki.io); (3) require explicit consent and supply your own API key from a trusted provider if you want AI editing; (4) prefer to remove or ignore the AI Edit section if you only need local resizing. If the author clarifies the endpoint, declares SPARKI_API_KEY in metadata, or removes the remote upload example, the inconsistencies would be resolved and confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ae61pkkxb910akyavqbxk9821asm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📐 Clawdis
OSmacOS · Linux
Binsffmpeg

Comments