ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing Agent (VEA)

v1.1.2

Video Editing Agent (VEA) for automated video processing, highlight generation, and editing. Use when asked to index videos, create highlight reels, generate...

1· 549·1 current·1 all-time
by@shawnshenopeninterx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared registry requirements list only MEMORIES_API_KEY and ffmpeg, but the SKILL.md and included files clearly require multiple other API keys (GOOGLE_API_KEY, ELEVENLABS_API_KEY, SOUNDSTRIPE_KEY) and GCP auth for full functionality. That mismatch between what's declared and what's actually needed is incoherent.
!
Instruction Scope
Runtime instructions instruct cloning a GitHub repo, running a remote installer (curl | sh), running gcloud auth, starting a local server, and sending video frames/text to external services (Memories.ai, ElevenLabs, Soundstripe). The instructions also expect you to store API keys in a local config.json which the scripts read. Those steps transmit user data outside the local machine and go beyond simple local ffmpeg processing.
!
Install Mechanism
Although the registry lists 'instruction-only', SKILL.md recommends running curl -LsSf https://astral.sh/uv/install.sh | sh to install the 'uv' package manager. Executing a remote install script is higher-risk than using a curated package and should be reviewed or replaced with a pinned release. Git cloning from GitHub is normal but no release pinning is recommended.
!
Credentials
Registry metadata declares only MEMORIES_API_KEY as required, but the config schema and scripts require/consume GOOGLE_API_KEY, ELEVENLABS_API_KEY, SOUNDSTRIPE_KEY, and possibly GCP credentials. Requiring multiple unrelated third‑party credentials (and loading them into env vars via config.json) is disproportionate to a simple local ffmpeg-based editor and increases data-exposure risk.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It runs a local server (localhost:8000), creates tmux/nohup processes and writes outputs/logs under ~/vea and /tmp. Running a persistent local server is expected for this functionality but increases blast radius if API keys or incoming requests are misconfigured.
What to consider before installing
This skill appears to be a legitimate video-editing service but contains several red flags you should address before installing: (1) The registry only lists MEMORIES_API_KEY, yet the code and docs require Google, ElevenLabs, and Soundstripe API keys plus possible GCP auth—verify whether you need to supply all of them. (2) The install instructions include running a remote install script (curl | sh); avoid blindly running it—review the script or install dependencies via trusted package managers. (3) The service uploads frames/text to external providers (Memories.ai, ElevenLabs, Soundstripe); confirm you are comfortable sharing video content and transcripts with these services and check their privacy/TOS. (4) Inspect the GitHub repo/source (pin a commit or release) and review src/app.py (not included here) for unexpected network calls or secrets exfiltration. (5) Run the skill in an isolated environment (VM/container) and keep API keys limited (scoped, revocable). If you need help auditing specific files (e.g., src/app.py) or verifying the remote installer script, provide them and I can analyze further.

Like a lobster shell, security has layers — review code before you run it.

latestvk971kjt25byk48d4yv7smv8mqh81pcwt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg
EnvMEMORIES_API_KEY
Primary envMEMORIES_API_KEY

Comments