Back to skill
Skillv1.0.1
ClawScan security
Viral Video Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 7:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (MEMORIES_API_KEY) line up with its stated purpose of sending video URLs to a transcription service and producing feedback reports; there are no signs of unrelated credential requests, hidden endpoints, or covert data exfiltration beyond the documented Memories.ai API use.
- Guidance
- This skill is internally consistent with its stated purpose, but review these points before installing: (1) Transcripts and any video URLs you submit are sent to Memories.ai (https://mavi-backend.memories.ai) — check their privacy policy and be comfortable with that data flow. (2) The skill needs a MEMORIES_API_KEY; only provide a key with appropriate scope and revoke it if you stop using the skill. (3) Batch mode reads local Excel files and the report generator writes PDFs to disk — only run it on data you intend to share. (4) The SKILL.md claims automatic package installation for report generation, but the script actually asks you to pip-install dependencies manually; expect to install fpdf2, pandas, and openpyxl yourself. If any of these points are unacceptable (for example, you cannot send transcripts to an external service), do not install or invoke the skill.
Review Dimensions
- Purpose & Capability
- okThe skill is designed to transcribe video audio and produce creator feedback; it requires a single MEMORIES_API_KEY and calls https://mavi-backend.memories.ai, which matches the SKILL.md and metadata. Required resources (Excel input, PDF output) are coherent with batch analysis and reporting.
- Instruction Scope
- okRuntime instructions and the included Python scripts only read video URLs (or Excel files for batch), call the Memories.ai transcription endpoint, analyze transcripts against thresholds, and optionally write a PDF. The SKILL.md and code explicitly document sending video URLs and transcripts to Memories.ai; the skill does not read other system secrets or unrelated files.
- Install Mechanism
- noteThere is no install spec (instruction-only-style), which minimizes installation risk. The scripts require standard Python packages (fpdf2, pandas, openpyxl). SKILL.md claims generate_report.py will "auto-install" packages if missing, but the generate_report.py script actually exits and prints a pip install suggestion rather than auto-installing — minor inconsistency but not a security risk.
- Credentials
- okOnly one credential is requested: MEMORIES_API_KEY (primaryEnv). That key is required to call the documented Memories.ai API endpoint; no unrelated credentials or config paths are requested. The code uses only that env var.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide configs. It writes output files (PDF reports) to disk when requested, which aligns with its reporting purpose.