ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gemini Video Analyzer

v1.0.0

Native video analysis using Google Gemini API. Upload and analyze video files — describe scenes, extract text/UI, answer questions about content, transcribe...

0· 656·1 current·1 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and included scripts consistently implement video upload + Gemini model analysis against generativelanguage.googleapis.com. The single required credential (GOOGLE_AI_API_KEY) is the expected credential for this purpose. Minor mismatch: the declared required binaries include curl although the provided scripts use only python3/urllib; this is a small inconsistency but not evidence of malicious intent.
Instruction Scope
Runtime instructions and scripts explicitly upload user video files to Google Files API and then call the Gemini model — this is consistent with the stated purpose. Important privacy note: videos (and any text/UI/audio they contain) are transmitted to Google and may be processed server-side and retained per the API (SKILL.md claims ~48h retention). The instructions do not read unrelated files or other environment variables.
Install Mechanism
This is instruction-only plus two Python scripts with no install spec. Nothing is downloaded from third-party URLs during install; risk from installation is low. The scripts perform network calls at runtime (to Google endpoints) which is expected for this skill.
Credentials
Only GOOGLE_AI_API_KEY is requested and used, which is proportionate to contacting Google's Files/Generative Language APIs. Users should ensure the API key is scoped/restricted (project, API quotas, billing) because it could be used to bill requests or access other Google APIs depending on key permissions. The skill does not request unrelated secrets or config paths.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent system-wide privileges or modify other skills. It runs as-invoked and uses only its own scripts and the provided API key.
Assessment
This skill appears to do what it says: it uploads videos to Google's Generative Language/Files API and asks Gemini to analyze them. Before installing or running: (1) Be aware that videos will be uploaded off your machine to Google — avoid uploading sensitive footage unless you accept that. (2) Use a restricted API key (limit to the specific project/APIs, set quotas, and rotate or revoke when done) to reduce blast radius if the key is leaked. (3) The declared requirement lists curl though the shipped scripts use python3; you may want to inspect the scripts yourself (they're included) to confirm behavior. (4) Verify billing/quota implications for large or frequent analysis and confirm the skill's publisher/homepage if provenance matters. If you require stronger guarantees (no external uploads), do not use this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975y2bt5w4pdkw0g0c0ab8ets819j81

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binspython3, curl
EnvGOOGLE_AI_API_KEY
Primary envGOOGLE_AI_API_KEY

Comments