Veo 3 Video Gen (Gemini API)

PassAudited by ClawScan on May 1, 2026.

Overview

The skill coherently generates videos through Google Gemini/Veo, with expected but notable use of a Gemini API key, runtime Python dependencies, external API requests, and local ffmpeg commands.

This appears purpose-aligned and suitable to review as benign. Before installing or using it, use a restricted Gemini API key, prefer GEMINI_API_KEY over --api-key, confirm the number of segments to avoid unexpected quota or billing, avoid sensitive prompts or reference images unless you intend to send them to Google, and use a trusted ffmpeg installation with safe output filenames.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Generating multiple segments can make multiple paid or quota-consuming API calls, and prompt content is sent to the provider.

Why it was flagged

The skill clearly discloses that each segment invokes the external Veo API. This is expected for video generation, but it can consume quota or billing and may send user-provided prompt content to Google.

Skill content

**Important:** This skill sends **one prompt per segment** (one Veo request per segment).

Recommendation

Confirm the segment count and avoid including sensitive prompt content unless you intend to send it to the Gemini/Veo API.

Low

#ASI03: Identity and Privilege Abuse

What this means

A supplied API key can authorize Gemini API usage and may consume account quota or billing.

Why it was flagged

The script accepts a Gemini API credential. This is purpose-aligned for using Google Veo, but the registry metadata declares no primary credential or required env vars, and command-line secrets can be exposed locally through shell history or process listings.

Skill content

parser.add_argument("--api-key", "-k", help="API key (overrides GEMINI_API_KEY)")

Recommendation

Prefer a restricted GEMINI_API_KEY environment variable over passing --api-key on the command line, and rotate the key if it may have been exposed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Future dependency versions could change behavior or introduce compatibility issues.

Why it was flagged

The script declares runtime dependencies with lower-bound version ranges rather than exact pinned versions. This is common for uv-run scripts and aligns with the purpose, but it is less reproducible than a locked dependency set.

Skill content

dependencies = [
#     "google-genai>=1.0.0",
#     "pillow>=10.0.0",
# ]

Recommendation

For repeatable use, review the packages and consider pinning versions or using a lockfile in a controlled environment.

Info

#ASI05: Unexpected Code Execution

What this means

Existing files at chosen output paths may be overwritten, and the workflow depends on the local ffmpeg binary.

Why it was flagged

The script invokes local ffmpeg commands for stitching and frame extraction. This is directly tied to the stated video workflow, but it is still local command execution and uses -y, which overwrites the specified output path.

Skill content

cmd = [
        "ffmpeg",
        "-y",
        "-f",
        "concat",
        "-safe",
        "0",

Recommendation

Use a trusted ffmpeg installation and choose a safe output directory or filename that will not overwrite important files.