Safety Report

Video Searching

Name: Video Searching
Rating: 5 (1 reviews)
Author: memories-ai-official

Run the Video Sourcing Agent with deterministic, concise chat UX for /video_sourcing using a pinned self-bootstrap runtime.

93Downloads

0Installs

1Stars

1Versions

Customer Support1,744 Video & Audio1,618 DevOps & Infrastructure1,045 Design & Prototyping842

Security Analysis

medium confidence

Clean0.08 risk

The skill's declared purpose (video sourcing) aligns with what it requests and runs, but it bootstraps and executes a pinned GitHub runtime on the host and requires live API keys — so it is coherent but carries notable operational risk you should understand before enabling.

Feb 28, 20263 files3 concerns

Purpose & Capabilityok

The name/description, required binaries (git, uv), and required env vars (GOOGLE_API_KEY, YOUTUBE_API_KEY) match a video-sourcing agent that calls Google/YouTube APIs and needs to clone and run a runtime. Nothing requested appears unrelated to the stated purpose.

Instruction Scopeconcern

The SKILL.md instructs the agent to run host-side code (sandbox off), bootstrap a pinned runtime by cloning a GitHub repo, install dependencies with 'uv', and execute a Python module. That behavior is consistent with the skill's purpose but expands scope to downloading and executing third-party code and writing files under ~/.openclaw — a meaningful increase in runtime privilege and attack surface that users should explicitly accept.

Install Mechanismnote

There is no packaged install spec; the included script clones a pinned tag from a GitHub repo (a well-known host) and runs 'uv sync' and then 'uv run python -m ...'. Using GitHub releases and a pinned tag is preferable to arbitrary URLs, but this still results in network-download-and-execute behavior and installs runtime dependencies on first run.

Credentialsok

Requested env vars (GOOGLE_API_KEY as primary, YOUTUBE_API_KEY) are reasonable for a video-sourcing tool. The script optionally respects VIDEO_SOURCING_AGENT_ROOT and OPENCLAW_HOME; no unrelated secrets or extra credentials are requested.

Persistence & Privilegenote

The script persists a managed runtime under ~/.openclaw/data/video-sourcing-agent/v0.2.3 and uses a bootstrap marker and lock directory. The skill does not request 'always: true', nor does it modify other skills, but it does require host execution and will install files into the user's home directory.

Guidance

This skill appears to do what it says (video sourcing) but: (1) it will clone and run code from the pinned GitHub repo on your machine and install runtime dependencies — only enable if you trust that repo/tag; (2) it requires your GOOGLE_API_KEY and YOUTUBE_API_KEY — limit those keys' scope, review quotas and rotate them if you later disable the skill; (3) it writes persistent files under ~/.openclaw/data and requires sandbox-off execution, increasing risk — consider reviewing the repository contents (Memories-ai-labs/[email protected]) before use, or run it in a controlled environment; (4) if you want to be extra cautious, set VIDEO_SOURCING_AGENT_ROOT to a vetted local copy to avoid network bootstrapping. If you are unsure about trusting the upstream repo, do not install or provide credentials.

Latest Release

v1.0.0

Initial release: deterministic video searching agent with self-bootstrap runtime

Popular Skills

Memory Setup

@memory · 67 stars

Memory Manager

@memory · 56 stars

Memory System V2

@memory · 11 stars

Memory Hygiene

@memory · 10 stars

OpenClaw Memory Qdrant

@memory · 5 stars

Memory

@memory · 5 stars

Published by @memories-ai-official on ClawHub