ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Echosaw Media Intelligence

v1.3.2

Analyze video, audio, and image files using AI. Produces structured intelligence reports including transcripts, content moderation signals, sentiment analysi...

1· 95·0 current·0 all-time
by@echosaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to be a media-intelligence wrapper and only requests an ECHOSAW_API_KEY (and an optional ECHOSAW_API_URL). These credentials are what you'd expect for a cloud media-analysis API proxy. Declared tooling (transcription, visual recognition) matches the stated purpose.
Instruction Scope
The runtime instructions instruct the agent to read local files by absolute path (echosaw_analyze_media) and/or submit remote URLs. That is expected for a media upload API, but it means the agent can read any file path you supply — avoid passing sensitive system files. The SKILL.md does not instruct reading unrelated env vars or system configs.
Install Mechanism
The registry summary said there is no install spec, but SKILL.md includes an "install: https://mcp.echosaw.com" field. That appears informational (no archive or package download described). No code files are present and no installer payloads are specified, so there is no automatic code-install risk from the skill bundle itself.
Credentials
Only ECHOSAW_API_KEY is required (ECHOSAW_API_URL optional). No unrelated credentials (AWS keys, database passwords, etc.) are requested. This is proportionate for a hosted API integration.
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill appears internally consistent for a hosted media-analysis API: it needs only your ECHOSAW_API_KEY and will upload or reference media files you provide. Before installing, confirm you trust echosaw.com and their data-handling (retention, sharing, third-party processing — SKILL.md states Echosaw uses AWS/Bedrock services). Do not give the agent file paths to sensitive system files or credentials; only submit the intended media. Note the registry display had a small metadata rendering inconsistency (required env shown as [object Object]) and SKILL.md includes an install URL; verify the provider homepage and pricing links and consider reading their privacy/terms if you will send sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk971aznk33mzdgx2h75xkzkb0h84kf86

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Env[object Object], [object Object]

Comments