ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Searching

v1.0.2

Search and analyze videos across YouTube, TikTok, Instagram, and X/Twitter via the Memories.ai Video Searching API.

3· 438·1 current·1 all-time
by@memories-ai-official
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (curl, jq), and required env var (MEMORIES_API_KEY) line up with a video-search API integration. However, the SKILL.md calls a runner at <skill_dir>/scripts/run_video_query.sh while the included file is run_video_query.sh at the repository root (path mismatch). The API host used by the script (mavi-backend.memories.ai) differs from the public homepage domain (api-tools.memories.ai) — that can be normal but is worth checking.
Instruction Scope
SKILL.md runtime instructions stay within the task: construct query JSON, call the SSE endpoint, parse NDJSON events, and present results / clarifications / errors. The instructions do not ask the agent to read unrelated files or additional environment variables. The only scope issue is the referenced script path that doesn't match the packaged file name.
Install Mechanism
This is an instruction-only skill with one included shell runner; there is no download/install step or external package fetch. That minimizes install-time risk.
Credentials
Only MEMORIES_API_KEY is required, which is appropriate for this API-based skill. The script sends the key in an Authorization header; verify the service expects the token in that exact header format and avoid logging the value.
Persistence & Privilege
Skill is user-invocable, not always: true, and can be invoked autonomously per platform default. It does not request system-wide config or other skills' credentials.
What to consider before installing
This skill appears to implement what it claims, but check a few things before installing: 1) confirm the runner path the agent will execute — SKILL.md references scripts/run_video_query.sh but the bundle contains run_video_query.sh at the root (fix or reconcile the path). 2) Verify the API host (mavi-backend.memories.ai) is the official backend for the vendor linked on the homepage, and confirm the expected Authorization header format (the script sends the raw token). 3) Ensure MEMORIES_API_KEY you provide has the minimal scope needed and that logs/agent output won't leak the token. 4) If you don't trust the skill source, require manual review or run the script in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6j0gq4q1qaad4xnrxjcwt184vzc2sourcingvk97fkxb898ewxte252ew8wecg5821nactiktokvk97fkxb898ewxte252ew8wecg5821nacvideovk97fkxb898ewxte252ew8wecg5821nacyoutubevk97fkxb898ewxte252ew8wecg5821nac

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux
Binscurl, jq
EnvMEMORIES_API_KEY

Comments