Memories Api
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run under an unknown account, which can expose submitted video URLs/prompts/results through that account, cause unexpected billing or quota use, and leaks the embedded credential itself.
The helper silently falls back to an embedded Memories.ai API key instead of requiring the user-declared MEMORIES_API_KEY.
if os.environ.get("MEMORIES_API_KEY"):
return os.environ["MEMORIES_API_KEY"]
# Default key from TOOLS.md
return "sk-mavi-mjLNMGVX..."Remove the hardcoded key, rotate it if it is real, require the user to supply MEMORIES_API_KEY explicitly, and declare the credential as the primary credential.
Transcript or video-analysis results for submitted videos could be delivered to a demo endpoint the user does not control.
Async MAI transcript jobs use a demo webhook automatically when the caller does not provide a callback URL.
DEFAULT_WEBHOOK = "https://demo.memories-ai.org/webhooks/memories/callback" ... data["callback_url"] = callback_url or DEFAULT_WEBHOOK
Do not use a default external webhook for user data. Require an explicit callback URL, clearly document who controls it and how results are stored, or default to polling instead.
If invoked with the wrong path or asset ID, the agent could upload a private video, write a downloaded file to an unintended location, or delete a Memories.ai asset.
The skill documents file upload/download and asset deletion operations, which are expected for a video operations API but can affect local files or remote assets.
# Upload local video
asset_url = client.upload_video("/path/to/video.mp4")
# Download video
client.download_video(video_url, "/path/to/save.mp4")
# Delete asset
client.delete_asset(asset_id)Use these operations only with explicit user-selected files and asset IDs, and confirm destructive actions such as deletion.