ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Sourcing

v0.2.5

Run the Video Sourcing Agent with deterministic, concise chat UX for /video_sourcing using a pinned self-bootstrap runtime.

0· 634·1 current·1 all-time
bySamuel Zhang@samuelz12
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, declared binaries (git, uv) and required env vars (GOOGLE_API_KEY, YOUTUBE_API_KEY) align with a video-sourcing agent that queries YouTube/Google-backed APIs. Minor note: SKILL.md mentions other platforms (TikTok/Instagram/X) but no credentials for those are requested — that may be because the pinned runtime handles them differently, but it's not explained.
!
Instruction Scope
SKILL.md and the script require host runtime execution (sandbox mode off) and will clone a remote repository and execute its code. The runtime bootstraps to ~/.openclaw/data/video-sourcing-agent and runs uv run python -m video_sourcing_agent.integrations.openclaw_runner, meaning arbitrary code from the pinned repo will be executed with access to local environment and files. The skill also references VIDEO_SOURCING_AGENT_ROOT as an override (not listed in required envs) and instructs polling/kill behavior for processes — all expected but increasing attack surface.
!
Install Mechanism
There is no packaged install spec; the included script clones a pinned GitHub repo (https://github.com/Memories-ai-labs/video-sourcing-agent) at tag v0.2.5 and runs 'uv sync' then 'uv run'. Using GitHub and a pinned tag is better than an unpinned download, but the behavior still writes code to disk and executes third-party dependencies at runtime, which is a high-impact operation and should be audited.
Credentials
The skill only requires GOOGLE_API_KEY and YOUTUBE_API_KEY, which are appropriate for YouTube/Google lookups. However, because the skill bootstraps and runs external code unsandboxed, that code will have access to any other environment variables and local files; treat API keys and other secrets as exposed to the runtime and consider using limited-scope keys or rotating them after use.
Persistence & Privilege
always:false and user-invocable:true (normal). The script persists a managed runtime under ~/.openclaw/data/video-sourcing-agent/v0.2.5 and creates a lock/marker file; this is reasonable for a self-bootstrap runtime. The main privilege concern is the unsandboxed execution of the bootstrapped code rather than any special platform flags.
What to consider before installing
This skill does what it says: it will clone a pinned GitHub repo and run its code on your machine, using your GOOGLE_API_KEY and YOUTUBE_API_KEY. Before installing, review or vet the remote repository (https://github.com/Memories-ai-labs/video-sourcing-agent) and its dependencies, verify you trust the maintainer, and be aware the runtime runs unsandboxed and can access your filesystem and any environment variables. If possible, run it in an isolated environment (VM/container) first, use least-privilege API keys, and be prepared to rotate keys if you proceed. Also note the registry metadata omitted a homepage while SKILL.md references the GitHub repo — that mismatch is worth confirming with the skill author.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSmacOS · Linux
Binsgit, uv
EnvGOOGLE_API_KEY, YOUTUBE_API_KEY
latestvk971fhfa6ew5z5kp4am1xs40v582d7sr
634downloads
0stars
7versions
Updated 7h ago
v0.2.5
MIT-0
macOS, Linux
Samuel Zhang@samuelz12
latest
Download

Video Sourcing Skill

Use this skill when the user asks to find, compare, or analyze social videos (YouTube, TikTok, Instagram, Twitter/X), or explicitly invokes /video_sourcing.

This workflow expects host runtime execution (sandbox mode off). The runner auto-bootstraps a pinned runtime from Memories-ai-labs/video-sourcing-agent@v0.2.5 when VIDEO_SOURCING_AGENT_ROOT is not set.

Triggering

Run this workflow when either condition is true:

  1. Message starts with /video_sourcing.
  2. The user asks for video sourcing/trend/creator/brand analysis and wants concrete video links.

If /video_sourcing is used with no query body, ask for the missing query.

Execution contract

  1. Resolve query text:
    • /video_sourcing ... => strip /video_sourcing and use remaining text.
    • Free-form => use user message as query.
  2. Default to compact mode:
    • --event-detail compact
  3. If user asks for debugging/raw payloads:
    • Switch to --event-detail verbose

/video_sourcing deterministic path

  1. Build command with required args:
    • <skill_dir>/scripts/run_video_query.sh --query "<query>" --event-detail <compact|verbose> --ux-mode three_message --progress-gate-seconds 5
  2. Start with exec using background: true and explicit timeout:
    • timeout: 420
  3. Poll with process using action: "poll" every 2-4 seconds until process exits.
  4. Parse NDJSON output and render only these events, using your persona voice for all user-facing text:
    • started => send a brief message conveying that video sourcing has begun, written in your persona voice
    • ux_progress => read the summary field as structured status data and compose a concise, natural progress update in your persona voice (do not echo summary verbatim) Send each ux_progress as a separate assistant message in Telegram.
    • terminal event (complete, clarification_needed, error) => send final message as-is
  5. Do not forward raw progress, tool_call, or tool_result events for /video_sourcing.
  6. Preserve the user's existing OpenClaw personality behavior across all messages — progress and final alike.
  7. Never launch a second run while a prior run session is still active.
    • If retrying, call process with action: "kill" for the prior sessionId first.
  8. If process exits without a terminal event, send a concise fallback message that:
    • states run ended before completion,
    • includes one actionable next step,
    • does not start another run automatically.

Behavior target for /video_sourcing:

  1. Fast run (<5s): 2 messages (started, terminal).
  2. Longer run (>=5s): recurring throttled ux_progress updates, then terminal.

Free-form path (non-strict)

  1. Keep existing flexible behavior.
  2. Build command without forcing three_message mode:
    • <skill_dir>/scripts/run_video_query.sh --query "<query>" --event-detail <compact|verbose>
  3. Stream useful progress updates and final response naturally.

Final response format

When terminal event is complete:

  1. One short paragraph conclusion.
  2. Top 3 video references only by default:
    • title
    • url
    • one-line relevance note
  3. Tools used: ... with a compact status summary.

If fewer than 3 videos exist, show all available references.

When terminal event is clarification_needed:

  1. Ask the clarification question directly.
  2. Treat this as the final response for the current run.

When terminal event is error:

  1. Send concise failure reason.
  2. Include one actionable next step.

Safety and fallback

  1. If script fails due to missing env/tooling, explain exact missing piece (for example VIDEO_SOURCING_AGENT_ROOT, uv, or API key env var).
  2. If VIDEO_SOURCING_AGENT_ROOT is unset, the runner uses managed path:
    • ~/.openclaw/data/video-sourcing-agent/v0.2.5
  3. VIDEO_SOURCING_AGENT_ROOT remains an advanced override for local development.
  4. Keep response concise and action-oriented.
  5. Never fabricate video URLs or metrics.

Comments

Loading comments...