ClawHub
Back to skill
v1.0.0

Influencer Report

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:06 AM.

Analysis

The skill appears aligned with generating influencer reports, but users should notice that it uses Memories.ai API keys and sends profile/video task data to external Memories-related endpoints.

GuidanceThis looks like a coherent influencer-reporting skill. Before using it, make sure you are comfortable sending creator profile/video URLs to Memories.ai, use a dedicated or limited API key if possible, and confirm the demo webhook endpoint is expected in your workflow.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceMediumStatusNote
scripts/influencer_report.py
def v1_list_videos(v1_key: str) -> list[dict]: ... "List all videos in the V1 library." ... requests.post(url, headers=headers, json={}, timeout=30)

The V1 API key is used for a broad library listing call. This appears tied to the documented workflow, but it may access more than just the single influencer/profile being vetted.

User impactThe script may enumerate videos already present in the connected Memories.ai library, not only newly scraped creator videos.
RecommendationPrefer a dedicated Memories.ai workspace/key for influencer vetting, and review what content is present in that library before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Required environment variables: - `MEMORIES_V1_API_KEY` — Memories.ai V1 API key (scraper, library, search) - `MEMORIES_API_KEY` — Memories.ai V2 API key

The skill requires provider API keys for account-backed Memories.ai functions. This is purpose-aligned, but it is sensitive access that users should notice, especially because the registry metadata declares no required env vars or primary credential.

User impactInstalling or using the skill may require granting it access to a Memories.ai account/API workspace.
RecommendationUse scoped, revocable API keys where possible and avoid using keys tied to unrelated or sensitive Memories.ai libraries.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
scripts/influencer_report.py
webhook_url = f"https://demo.memories-ai.org/webhooks/memories/result/{task_id}" ... resp = requests.get(webhook_url, timeout=15)

The script polls a demo webhook/result endpoint for task completion that is not listed in SKILL.md's API endpoint table. It is related to the Memories workflow, but the data boundary and access control are less clearly disclosed.

User impactTask identifiers and analysis results may be retrieved through an additional Memories-related webhook domain.
RecommendationVerify that the webhook domain is expected for your Memories.ai account and avoid submitting private or sensitive video URLs unless that data flow is acceptable.