Back to skill
Skillv1.0.0
VirusTotal security
Video Sourcing Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:43 AM
- Hash
- e81589b69038a284a9dd26d992673d897ada15b223956539142a84d9b2ebe333
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-sourcing-agent Version: 1.0.0 The skill is classified as suspicious primarily due to significant supply chain risks and potential command injection vulnerabilities, exacerbated by explicit host execution (sandbox mode off). The `scripts/run_video_query.sh` file downloads and executes code from an external GitHub repository (`https://github.com/Memories-ai-labs/video-sourcing-agent.git`) and installs its dependencies via `uv sync`. A compromise of this external repository would lead to arbitrary code execution on the host. Additionally, user input (`<query>`) is passed directly to the `uv run python` command, creating a potential for command or argument injection if not meticulously sanitized by the downstream Python application. The skill also requires access to sensitive `GOOGLE_API_KEY` and `YOUTUBE_API_KEY` environment variables, increasing the impact of a successful exploit.
- External report
- View on VirusTotal