Viral Video Analysis

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears coherent and purpose-aligned, but it uses a Memories.ai API key and sends video links to Memories.ai for transcription.

Before installing, make sure you are comfortable sending video URLs to Memories.ai and processing any creator ROI spreadsheets with this tool. Use a dedicated API key, avoid analyzing private videos unless allowed, and install Python dependencies in a controlled environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI03: Identity and Privilege Abuse

What this means

Using the skill requires a service API key, so misuse of the local environment or logs could affect the user's Memories.ai account.

Why it was flagged

The script uses a Memories.ai API key from the environment as an authorization credential. This is expected for the service integration and is disclosed, but it still gives the skill access to the user's Memories.ai account/quota.

Skill content

API_KEY = os.environ.get("MEMORIES_API_KEY", "") ... HEADERS = {"Authorization": API_KEY}

Recommendation

Use a dedicated API key with the minimum needed access, avoid sharing the key, and rotate it if exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Private, unlisted, or campaign-sensitive video links may be processed by a third-party service.

Why it was flagged

The artifact shows video URLs being sent to the Memories.ai backend for transcription. This external provider flow is central to the skill and disclosed, but users should treat video URLs and transcripts as potentially sensitive.

Skill content

requests.post(f"{BASE_URL}/{platform}/video/transcript", headers=HEADERS, json={"video_url": video_url, "channel": "rapid"}, timeout=60)

Recommendation

Review Memories.ai's privacy policy and only analyze videos that are acceptable to share with that service.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing unpinned packages can introduce normal supply-chain risk if a package source or version is compromised.

Why it was flagged

The skill references third-party Python dependencies without pinned versions or an install spec. This is common for a helper script and not evidence of malicious behavior, but users should install dependencies intentionally from trusted sources.

Skill content

Python packages: `generate_report.py` will auto-install `fpdf2`, `pandas`, `openpyxl` if missing

Recommendation

Install dependencies in a virtual environment and pin versions if using this skill in a production workflow.