ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Sourcing Agent

v1.0.0

Run the Video Sourcing Agent with deterministic, concise chat UX for /video_sourcing using a pinned self-bootstrap runtime.

0· 291·0 current·0 all-time
by@memories-ai-official
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required env vars (GOOGLE_API_KEY, YOUTUBE_API_KEY) and required binaries (git, uv) are consistent with a video-sourcing agent that calls YouTube/Google APIs and bootstraps a runtime.
!
Instruction Scope
SKILL.md and the included script explicitly require host execution with sandboxing off, clone a pinned GitHub repository at runtime, run 'uv sync' (installing dependencies) and then execute python code from that repo. The instructions also reference VIDEO_SOURCING_AGENT_ROOT (an env override) which is not listed in requires.env. Running externally fetched code unsandboxed and allowing background exec/polling is scope-expanding and increases attack surface.
Install Mechanism
No install spec in the registry bundle, but the shipped script bootstraps a pinned GitHub repo (well-known host) and runs 'uv sync' to install dependencies. Using a pinned tag reduces some risk, but the runtime will be written to disk (~/.openclaw/data/...), and dependency installation at runtime can pull additional packages—this is expected for this skill but notable.
Credentials
Requested credentials (GOOGLE_API_KEY, YOUTUBE_API_KEY) are appropriate for video sourcing. The script also honors VIDEO_SOURCING_AGENT_ROOT as an override (not declared as required), and the runner will read/set files under the user's home directory—no unrelated service credentials are requested.
!
Persistence & Privilege
The skill does not require 'always:true', but it will create persistent files under ~/.openclaw/data/video-sourcing-agent and execute code there. Combined with the explicit expectation of sandbox mode off (host runtime execution), this grants the skill substantial ability to run unsandboxed code on the host—an elevated privilege relative to many instruction-only skills.
Scan Findings in Context
[no_pre_scan_injection_signals] expected: The static pre-scan reported no injection signals. That does not negate the runtime behavior: the shipped script clones and executes code from a remote GitHub repository at runtime.
What to consider before installing
This skill appears to do what it says (fetch and analyze social videos) and needs Google/YouTube API keys, but it bootstraps and executes a pinned GitHub repo on your machine without sandboxing. Before installing or running it: 1) Verify you trust the GitHub repo and inspect the pinned tag (v0.2.3) source that will be cloned. 2) Consider setting VIDEO_SOURCING_AGENT_ROOT to a vetted local copy instead of allowing automatic bootstrap. 3) Limit the API keys' permissions and scope, and avoid using high-privilege keys. 4) Be aware the skill will write into ~/.openclaw/data/... and install dependencies via 'uv sync'. 5) If you cannot inspect the runtime or prefer stronger isolation, do not enable host (unsandboxed) execution or run it in an isolated environment (VM/container). If anything unexpected happens, revoke the API keys and remove the managed runtime directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9z0v99xgnsxhx8ep9brhzh821cc9sourcingvk97b9z0v99xgnsxhx8ep9brhzh821cc9tiktokvk97b9z0v99xgnsxhx8ep9brhzh821cc9videovk97b9z0v99xgnsxhx8ep9brhzh821cc9youtubevk97b9z0v99xgnsxhx8ep9brhzh821cc9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux
Binsgit, uv
EnvGOOGLE_API_KEY, YOUTUBE_API_KEY
Primary envGOOGLE_API_KEY

SKILL.md

Video Sourcing Skill

Use this skill when the user asks to find, compare, or analyze social videos (YouTube, TikTok, Instagram, Twitter/X), or explicitly invokes /video_sourcing.

This workflow expects host runtime execution (sandbox mode off). The runner auto-bootstraps a pinned runtime from Memories-ai-labs/video-sourcing-agent@v0.2.3 when VIDEO_SOURCING_AGENT_ROOT is not set.

Triggering

Run this workflow when either condition is true:

  1. Message starts with /video_sourcing.
  2. The user asks for video sourcing/trend/creator/brand analysis and wants concrete video links.

If /video_sourcing is used with no query body, ask for the missing query.

Execution contract

  1. Resolve query text:
    • /video_sourcing ... => strip /video_sourcing and use remaining text.
    • Free-form => use user message as query.
  2. Default to compact mode:
    • --event-detail compact
  3. If user asks for debugging/raw payloads:
    • Switch to --event-detail verbose

/video_sourcing deterministic path

  1. Build command with required args:
    • <skill_dir>/scripts/run_video_query.sh --query "<query>" --event-detail <compact|verbose> --ux-mode three_message --progress-gate-seconds 10
  2. Start with exec using background: true.
  3. Poll with process using action: "poll" every 2-4 seconds until process exits.
  4. Parse NDJSON output and render only these events:
    • started => send: Starting video sourcing...
    • ux_progress => send concise middle progress updates from summary (throttled by runner) Send each ux_progress as a separate assistant message in Telegram.
    • terminal event (complete, clarification_needed, error) => send final message as-is
  5. Do not forward raw progress, tool_call, or tool_result events for /video_sourcing.
  6. Do not rewrite final answer tone/style; preserve the user's existing OpenClaw personality behavior.

Behavior target for /video_sourcing:

  1. Fast run (<10s): 2 messages (started, terminal).
  2. Longer run (>=10s): recurring throttled ux_progress updates, then terminal.

Free-form path (non-strict)

  1. Keep existing flexible behavior.
  2. Build command without forcing three_message mode:
    • <skill_dir>/scripts/run_video_query.sh --query "<query>" --event-detail <compact|verbose>
  3. Stream useful progress updates and final response naturally.

Final response format

When terminal event is complete:

  1. One short paragraph conclusion.
  2. Top 3 video references only by default:
    • title
    • url
    • one-line relevance note
  3. Tools used: ... with a compact status summary.

If fewer than 3 videos exist, show all available references.

When terminal event is clarification_needed:

  1. Ask the clarification question directly.
  2. Treat this as the final response for the current run.

When terminal event is error:

  1. Send concise failure reason.
  2. Include one actionable next step.

Safety and fallback

  1. If script fails due to missing env/tooling, explain exact missing piece (for example VIDEO_SOURCING_AGENT_ROOT, uv, or API key env var).
  2. If VIDEO_SOURCING_AGENT_ROOT is unset, the runner uses managed path:
    • ~/.openclaw/data/video-sourcing-agent/v0.2.3
  3. VIDEO_SOURCING_AGENT_ROOT remains an advanced override for local development.
  4. Keep response concise and action-oriented.
  5. Never fabricate video URLs or metrics.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…