Back to skill
Skillv1.0.0
ClawScan security
Video Sourcing Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 28, 2026, 4:49 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements match its purpose, but it instructs the agent to bootstrap and execute external code on the host (sandbox off) and write into your home directory, which increases risk and deserves caution.
- Guidance
- This skill appears to do what it says (fetch and analyze social videos) and needs Google/YouTube API keys, but it bootstraps and executes a pinned GitHub repo on your machine without sandboxing. Before installing or running it: 1) Verify you trust the GitHub repo and inspect the pinned tag (v0.2.3) source that will be cloned. 2) Consider setting VIDEO_SOURCING_AGENT_ROOT to a vetted local copy instead of allowing automatic bootstrap. 3) Limit the API keys' permissions and scope, and avoid using high-privilege keys. 4) Be aware the skill will write into ~/.openclaw/data/... and install dependencies via 'uv sync'. 5) If you cannot inspect the runtime or prefer stronger isolation, do not enable host (unsandboxed) execution or run it in an isolated environment (VM/container). If anything unexpected happens, revoke the API keys and remove the managed runtime directory.
- Findings
[no_pre_scan_injection_signals] expected: The static pre-scan reported no injection signals. That does not negate the runtime behavior: the shipped script clones and executes code from a remote GitHub repository at runtime.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (GOOGLE_API_KEY, YOUTUBE_API_KEY) and required binaries (git, uv) are consistent with a video-sourcing agent that calls YouTube/Google APIs and bootstraps a runtime.
- Instruction Scope
- concernSKILL.md and the included script explicitly require host execution with sandboxing off, clone a pinned GitHub repository at runtime, run 'uv sync' (installing dependencies) and then execute python code from that repo. The instructions also reference VIDEO_SOURCING_AGENT_ROOT (an env override) which is not listed in requires.env. Running externally fetched code unsandboxed and allowing background exec/polling is scope-expanding and increases attack surface.
- Install Mechanism
- noteNo install spec in the registry bundle, but the shipped script bootstraps a pinned GitHub repo (well-known host) and runs 'uv sync' to install dependencies. Using a pinned tag reduces some risk, but the runtime will be written to disk (~/.openclaw/data/...), and dependency installation at runtime can pull additional packages—this is expected for this skill but notable.
- Credentials
- noteRequested credentials (GOOGLE_API_KEY, YOUTUBE_API_KEY) are appropriate for video sourcing. The script also honors VIDEO_SOURCING_AGENT_ROOT as an override (not declared as required), and the runner will read/set files under the user's home directory—no unrelated service credentials are requested.
- Persistence & Privilege
- concernThe skill does not require 'always:true', but it will create persistent files under ~/.openclaw/data/video-sourcing-agent and execute code there. Combined with the explicit expectation of sandbox mode off (host runtime execution), this grants the skill substantial ability to run unsandboxed code on the host—an elevated privilege relative to many instruction-only skills.