← Back to Skills Marketplace
Sparkle VPN
by
cwyhkyochen-a11y
· GitHub ↗
· v1.1.0
761
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install sparkle-vpn
Description
Control Sparkle VPN - start, stop, manage system proxy, query status and switch nodes using Mihomo core directly.
Usage Guidance
This skill appears to do exactly what it says: control a local Sparkle/Mihomo VPN. Before installing, verify: 1) you have the Mihomo/Sparkle binaries and the referenced profile (~/.config/sparkle/profiles/19c48c94cbb.yaml) or adjust scripts accordingly; 2) you are comfortable with scripts that start/kill processes and change GNOME proxy settings and write ~/.config/sparkle/proxy.env; 3) required tools (curl, python3, gsettings, pgrep/pkill) are present — the skill does not declare these dependencies; 4) the diagnostic call to https://ipinfo.io/ip will reveal your public IP to that service (harmless for most users, but note if you want no external calls). If unsure, inspect/modify the scripts (they are plain shell) or run them in an isolated/test environment first.
Capability Analysis
Type: OpenClaw Skill
Name: sparkle-vpn
Version: 1.1.0
The skill is classified as suspicious due to multiple critical shell injection vulnerabilities. The `sparkle_vpn_switch` tool in `index.ts` and `tools.yaml` directly interpolates the `node` parameter into a shell command without proper escaping, allowing for arbitrary command execution (RCE) if an attacker can control the `node` input (e.g., via prompt injection to the agent). Furthermore, the `scripts/switch-node.sh` script, which receives this parameter, attempts to URL-encode it using `python3 -c "..."`, but this `python3 -c` command itself is vulnerable to shell injection if the `NODE_NAME` contains unescaped single quotes. Additionally, `switch-node.sh` inserts the `NODE_NAME` into a JSON payload for `curl -d` without JSON escaping, posing a JSON injection risk. While there's no clear evidence of intentional malicious behavior like data exfiltration to external servers, these vulnerabilities represent significant security flaws that could be exploited.
Capability Assessment
Purpose & Capability
The name/description (control Sparkle VPN via Mihomo core) align with the included scripts and index.ts handlers. Scripts operate on ~/.config/sparkle, call the local Mihomo binary (/opt/sparkle/resources/sidecar/mihomo) and the local API at 127.0.0.1:9090 — all consistent with the declared purpose.
Instruction Scope
Runtime instructions and scripts stay within the VPN management domain: starting/stopping mihomo, switching nodes via the local API, and enabling/disabling system proxy via gsettings and a proxy.env file. The scripts also call ipinfo.io to display public IP (an external endpoint used only for diagnostics). They do not read or transmit unrelated files or secrets.
Install Mechanism
There is no external installer or remote download; files are included in the skill bundle and index.ts runs local shell scripts. No URLs or archive extraction are used, lowering install risk.
Credentials
The skill declares no required env vars or credentials (appropriate). However scripts assume availability of tools (curl, python3, gsettings, pgrep/pkill) and a local Mihomo binary at /opt/sparkle/... and a profile at ~/.config/sparkle/profiles/19c48c94cbb.yaml; these are reasonable for the task but are not declared. The only external network call is to ipinfo.io for IP checks (diagnostic only).
Persistence & Privilege
always:false (normal). The skill can start/stop processes and change system proxy settings (gsettings and writing ~/.config/sparkle/proxy.env) and will therefore affect system state and network behavior — this is expected for a VPN control tool but is a privileged action the user should consent to.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sparkle-vpn - After installation, invoke the skill by name or use
/sparkle-vpn - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Add system proxy management (enable/disable), query status, switch node
v1.0.0
Initial release - Control Sparkle VPN using Mihomo core
Metadata
Frequently Asked Questions
What is Sparkle VPN?
Control Sparkle VPN - start, stop, manage system proxy, query status and switch nodes using Mihomo core directly. It is an AI Agent Skill for Claude Code / OpenClaw, with 761 downloads so far.
How do I install Sparkle VPN?
Run "/install sparkle-vpn" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sparkle VPN free?
Yes, Sparkle VPN is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Sparkle VPN support?
Sparkle VPN is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sparkle VPN?
It is built and maintained by cwyhkyochen-a11y (@cwyhkyochen-a11y); the current version is v1.1.0.
More Skills