Video Sourcing
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for video sourcing, but it downloads and runs a GitHub-hosted Python runtime outside the sandbox with your Google/YouTube API keys.
Review and trust the Memories-ai-labs/video-sourcing-agent repository before installing. Use restricted API keys, expect a first-run download into ~/.openclaw/data, and prefer sandboxing or a container if you are not comfortable running the bootstrapped Python agent directly on your host.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external repository, tag, or dependency lock is compromised or changes unexpectedly, code outside this review could run on the user’s machine.
On first use, the skill can fetch a separate runtime and install its dependencies from GitHub; that runtime code is not included in the supplied skill manifest, and the artifact pins a tag rather than an immutable commit hash.
git clone --depth 1 --branch "${PINNED_TAG}" "${PINNED_REPO_URL}" "${MANAGED_RELEASE_DIR}" ... uv sync --frozen --no-devInstall only if you trust the GitHub repository; prefer an immutable commit or signed release, review the remote code and lockfile, and consider vendoring the runtime in the reviewed artifact.
The runner can execute with the local user’s permissions and access the process environment, including configured API keys.
The skill executes a Python module from the resolved runtime root; by default that root is the bootstrapped GitHub checkout, and SKILL.md states the workflow expects host runtime execution with sandbox mode off.
cd "${RUNTIME_ROOT}"
uv run python -m video_sourcing_agent.integrations.openclaw_runner "$@"Run only in a trusted environment, use sandboxing or a container where possible, and require explicit user awareness before the first bootstrap/run.
The external runner can use the configured API keys for provider requests.
The skill requires Google and YouTube API keys, which is expected for video sourcing, but those credentials will be available to the launched runtime.
require_env_key GOOGLE_API_KEY require_env_key YOUTUBE_API_KEY
Use restricted, least-privilege API keys where possible and monitor quota or billing usage.
A video-sourcing request can start a local process for several minutes.
The skill intentionally uses the exec/process tools to run a local background job; the timeout and single-run rule reduce but do not eliminate the need for user awareness.
Start with `exec` using `background: true` and explicit timeout: - `timeout: 420`
Keep the timeout and one-active-run guard, and ensure users know when a local run is being started.