VideoDB Monitoring
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: videodb-monitoring Version: 1.0.1 The videodb-monitoring skill provides legitimate screen recording, transcription, and search capabilities using the VideoDB service. The bundle includes a background monitor (monitor.ts) that captures screen and audio data and a CLI tool (videodb.ts) for generating stream URLs and searching recordings. While the skill requires high-privilege permissions (screen/microphone access) and modifies the OpenClaw configuration file to store session state and API keys, these actions are explicitly documented and necessary for the stated functionality. No evidence of malicious exfiltration, obfuscation, or unauthorized command execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A screen recording process may continue running after the requested task and capture later activity unless the user manually stops it.
The skill directs the agent to launch a detached background monitor when it is not already running, but the main workflow does not pair this with a routine stop-monitor step.
If not `true`, start the monitor: `cd {baseDir} && nohup npx tsx monitor.ts > ~/.videodb/logs/monitor.log 2>&1 & disown && sleep 3`Require explicit user confirmation before starting the monitor, add a normal stop command or time limit, and clearly show recording status.
Sensitive information visible on the screen or audible in system audio could be stored with the external provider and exposed through generated recording links.
The monitor captures the default display and optional system audio with `store: true` through the VideoDB capture client, but the artifacts do not describe retention, sharing permissions, or access controls for the stored recordings.
selected.push({ channelId: display.id, type: "video", store: true }); ... selected.push({ channelId: systemAudio.id, type: "audio", store: true }); ... await client.startSession({ sessionId, channels: selected as any });Use only in environments where recording is acceptable, avoid sensitive screens, and document VideoDB retention, sharing, and deletion controls.
Past screen activity and audio may become searchable and reusable later, including sensitive meeting content, websites, documents, or credentials visible on screen.
The skill can create searchable visual, audio, and transcript indexes of broad screen activity. The docs say to start this when needed, but they do not clearly define retention, deletion, or reuse boundaries.
This starts: - transcript capture for system audio - audio indexing - visual indexing
Start indexing only for explicit user requests, limit the time window, stop it immediately afterward, and provide deletion/retention controls for indexes and transcripts.
If the stored PID is stale or incorrect, starting the skill could terminate an unrelated local process.
Startup cleanup terminates the PID stored in OpenClaw config as the prior monitor without verifying that the PID still belongs to this skill's monitor process.
process.kill(pid, "SIGTERM"); ... process.kill(pid, "SIGKILL");
Verify the process identity before killing it, avoid SIGKILL when possible, and fail safely if the stored PID cannot be confirmed as this monitor.
The key may allow recording, storage, indexing, and account-cost actions in the user's VideoDB account.
A VideoDB API key is expected for this integration, but the agent is instructed to handle and store it in OpenClaw configuration.
Ask the user for their VideoDB API key ... `openclaw config set skills.entries.videodb-monitoring.env.VIDEODB_API_KEY 'sk-xxx'`
Prefer setting the key manually, use the least-privileged or dedicated key available, and rotate or revoke it if the skill is no longer used.
Installing or running the skill depends on third-party package versions resolved at install time.
The skill relies on npm packages with version ranges and no lockfile shown in the manifest, which is common but means installed code may vary over time.
"dependencies": { "videodb": "^0.2.1" }, "devDependencies": { "tsx": "^4.7.0", "@types/node": "^20.0.0" }Review the package source, pin exact versions with a lockfile, and install from trusted registries.