← Back to Skills Marketplace
Video Sourcing Agent
by
memories-ai-official
· GitHub ↗
· v1.0.0
406
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install video-sourcing-agent
Description
Run the Video Sourcing Agent with deterministic, concise chat UX for /video_sourcing using a pinned self-bootstrap runtime.
Usage Guidance
This skill appears to do what it says (fetch and analyze social videos) and needs Google/YouTube API keys, but it bootstraps and executes a pinned GitHub repo on your machine without sandboxing. Before installing or running it: 1) Verify you trust the GitHub repo and inspect the pinned tag (v0.2.3) source that will be cloned. 2) Consider setting VIDEO_SOURCING_AGENT_ROOT to a vetted local copy instead of allowing automatic bootstrap. 3) Limit the API keys' permissions and scope, and avoid using high-privilege keys. 4) Be aware the skill will write into ~/.openclaw/data/... and install dependencies via 'uv sync'. 5) If you cannot inspect the runtime or prefer stronger isolation, do not enable host (unsandboxed) execution or run it in an isolated environment (VM/container). If anything unexpected happens, revoke the API keys and remove the managed runtime directory.
Capability Analysis
Type: OpenClaw Skill
Name: video-sourcing-agent
Version: 1.0.0
The skill is classified as suspicious primarily due to significant supply chain risks and potential command injection vulnerabilities, exacerbated by explicit host execution (sandbox mode off). The `scripts/run_video_query.sh` file downloads and executes code from an external GitHub repository (`https://github.com/Memories-ai-labs/video-sourcing-agent.git`) and installs its dependencies via `uv sync`. A compromise of this external repository would lead to arbitrary code execution on the host. Additionally, user input (`<query>`) is passed directly to the `uv run python` command, creating a potential for command or argument injection if not meticulously sanitized by the downstream Python application. The skill also requires access to sensitive `GOOGLE_API_KEY` and `YOUTUBE_API_KEY` environment variables, increasing the impact of a successful exploit.
Capability Assessment
Purpose & Capability
Name/description, required env vars (GOOGLE_API_KEY, YOUTUBE_API_KEY) and required binaries (git, uv) are consistent with a video-sourcing agent that calls YouTube/Google APIs and bootstraps a runtime.
Instruction Scope
SKILL.md and the included script explicitly require host execution with sandboxing off, clone a pinned GitHub repository at runtime, run 'uv sync' (installing dependencies) and then execute python code from that repo. The instructions also reference VIDEO_SOURCING_AGENT_ROOT (an env override) which is not listed in requires.env. Running externally fetched code unsandboxed and allowing background exec/polling is scope-expanding and increases attack surface.
Install Mechanism
No install spec in the registry bundle, but the shipped script bootstraps a pinned GitHub repo (well-known host) and runs 'uv sync' to install dependencies. Using a pinned tag reduces some risk, but the runtime will be written to disk (~/.openclaw/data/...), and dependency installation at runtime can pull additional packages—this is expected for this skill but notable.
Credentials
Requested credentials (GOOGLE_API_KEY, YOUTUBE_API_KEY) are appropriate for video sourcing. The script also honors VIDEO_SOURCING_AGENT_ROOT as an override (not declared as required), and the runner will read/set files under the user's home directory—no unrelated service credentials are requested.
Persistence & Privilege
The skill does not require 'always:true', but it will create persistent files under ~/.openclaw/data/video-sourcing-agent and execute code there. Combined with the explicit expectation of sandbox mode off (host runtime execution), this grants the skill substantial ability to run unsandboxed code on the host—an elevated privilege relative to many instruction-only skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install video-sourcing-agent - After installation, invoke the skill by name or use
/video-sourcing-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: deterministic video sourcing agent with self-bootstrap runtime
Metadata
Frequently Asked Questions
What is Video Sourcing Agent?
Run the Video Sourcing Agent with deterministic, concise chat UX for /video_sourcing using a pinned self-bootstrap runtime. It is an AI Agent Skill for Claude Code / OpenClaw, with 406 downloads so far.
How do I install Video Sourcing Agent?
Run "/install video-sourcing-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Video Sourcing Agent free?
Yes, Video Sourcing Agent is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Video Sourcing Agent support?
Video Sourcing Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (macos, linux).
Who created Video Sourcing Agent?
It is built and maintained by memories-ai-official (@memories-ai-official); the current version is v1.0.0.
More Skills