Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seek And Analyze Video
v2.1.1Video intelligence and content analysis using Memories.ai LVMM. Discover videos on TikTok, YouTube, Instagram by topic or creator. Analyze video content, sum...
⭐ 0· 223·0 current·0 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, and example code consistently describe video discovery and analysis via Memories.ai LVMM — that capability is coherent. However, the registry metadata lists no required environment variables while SKILL.md and example_workflow.py explicitly require MEMORIES_API_KEY. This mismatch between claimed requirements and actual instructions is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to (a) read marketing-context.md if present, (b) import local meeting recordings (e.g., internal_recording.mp4) in some examples, and (c) send video content to the Memories.ai service. Reading marketing-context.md (an unspecified local file) and importing local recordings are outside the skill's declared config paths and could expose local data if used — the file access is not declared in metadata and should be made explicit. The SKILL.md also instructs cloning an external GitHub repo for the 'full' flow, which expands runtime behavior beyond the packaged instructions.
Install Mechanism
There is no install spec (instruction-only skill) and an included example script is demo-only. That low-install footprint reduces immediate risk. Note: the example's full-mode tells users to clone an external GitHub repo for the real implementation; that external code is not reviewed here and should be inspected before cloning/executing.
Credentials
The skill clearly needs a MEMORIES_API_KEY (SKILL.md and example code). The registry metadata claims no required environment variables, so the key is undeclared in the registry. Requesting an API key for the third-party Memories.ai service is reasonable for the stated purpose, but the lack of declaration is an inconsistency that could mislead users. Also consider privacy: providing the key grants the skill the ability to send video content (including internal recordings) to the Memories.ai service — ensure the user understands exposure of potentially sensitive data.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and allows standard autonomous invocation. There is no evidence it attempts to modify other skills or system-wide settings. Example flows reference creating persistent indexed videos/memories on the Memories.ai service (expected for the use case).
What to consider before installing
This skill appears to do what it says (video discovery and analysis via Memories.ai), but before installing: (1) be aware the SKILL.md and example script require MEMORIES_API_KEY — the registry metadata does not declare this; only set a key you trust and understand that video content (including local recordings) will be sent to Memories.ai; (2) SKILL.md tells the agent to read marketing-context.md if present — confirm that file does not contain secrets you don't want read or transmitted; (3) the 'full' workflow points to an external GitHub repo for the real implementation — inspect that repo before cloning or running any code; (4) ask the skill author to fix the registry metadata to list MEMORIES_API_KEY as a required env var and to explicitly declare any config paths (like marketing-context.md) so you can make an informed decision. If you need higher assurance, request the full implementation code (or a package with an install spec) and a privacy/data-flow description of what is uploaded to Memories.ai.Like a lobster shell, security has layers — review code before you run it.
latestvk9720rjgzs6snjejwgy4099ydd82nrkw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.