Veo 3 Video Gen (Gemini API)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generating multiple segments can make multiple paid or quota-consuming API calls, and prompt content is sent to the provider.
The skill clearly discloses that each segment invokes the external Veo API. This is expected for video generation, but it can consume quota or billing and may send user-provided prompt content to Google.
**Important:** This skill sends **one prompt per segment** (one Veo request per segment).
Confirm the segment count and avoid including sensitive prompt content unless you intend to send it to the Gemini/Veo API.
A supplied API key can authorize Gemini API usage and may consume account quota or billing.
The script accepts a Gemini API credential. This is purpose-aligned for using Google Veo, but the registry metadata declares no primary credential or required env vars, and command-line secrets can be exposed locally through shell history or process listings.
parser.add_argument("--api-key", "-k", help="API key (overrides GEMINI_API_KEY)")Prefer a restricted GEMINI_API_KEY environment variable over passing --api-key on the command line, and rotate the key if it may have been exposed.
Future dependency versions could change behavior or introduce compatibility issues.
The script declares runtime dependencies with lower-bound version ranges rather than exact pinned versions. This is common for uv-run scripts and aligns with the purpose, but it is less reproducible than a locked dependency set.
dependencies = [ # "google-genai>=1.0.0", # "pillow>=10.0.0", # ]
For repeatable use, review the packages and consider pinning versions or using a lockfile in a controlled environment.
Existing files at chosen output paths may be overwritten, and the workflow depends on the local ffmpeg binary.
The script invokes local ffmpeg commands for stitching and frame extraction. This is directly tied to the stated video workflow, but it is still local command execution and uses -y, which overwrites the specified output path.
cmd = [
"ffmpeg",
"-y",
"-f",
"concat",
"-safe",
"0",Use a trusted ffmpeg installation and choose a safe output directory or filename that will not overwrite important files.