luci-upload
PassAudited by ClawScan on May 7, 2026.
Overview
This skill appears to do what it says—upload user-selected media to memories.ai—but users should notice it uses an API key and sends media plus time/location data to external services.
Before installing, be comfortable with selected media and associated time/location data being uploaded to memories.ai. Keep MEMORIES_AI_KEY secure, confirm the exact file path before upload, and review the full scripts/run.py source if available because the supplied source excerpt was truncated.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A video or image chosen by the agent/user will be sent to memories.ai.
The script reads the user-specified local file and uploads it to the memories.ai API. This matches the skill purpose, but the selected file contents leave the local environment.
with open(filepath, "rb") as f:
file_data = f.read()
...
req = urllib.request.Request(url, data=body, method="POST"Use the probe-first workflow and confirm the exact file path before uploading sensitive media.
The skill can upload media under the account associated with the provided Memories.ai key.
The skill uses MEMORIES_AI_KEY from the environment or a local .env file as the authorization header for memories.ai. This is declared and expected for the service integration.
api_key = os.environ.get("MEMORIES_AI_KEY", "").strip() or _load_env()
...
"authorization": api_keyProvide only the intended API key, keep the .env file private, and revoke or rotate the key if the skill or environment is no longer trusted.
A typed place name may be shared with the external geocoding provider in addition to memories.ai receiving the final coordinates.
When --location is used, the location text is sent to OpenStreetMap Nominatim for geocoding. The SKILL.md discloses automatic geocoding, but users may not realize a third-party geocoder receives the location query.
url = f"https://nominatim.openstreetmap.org/search?{params}"Avoid using --location for sensitive places, or provide explicit latitude/longitude if you do not want the location name sent to a geocoding service.