Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Veo
v1.3.0Generate video using Google Veo (Veo 3.1 / Veo 3.0).
⭐ 1· 5.1k·21 current·23 all-time
byBuddy Hadry@buddyh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The script and SKILL.md implement video generation via Google Veo (google-genai client), which matches the skill name and description. Minor inconsistency: the registry metadata at the top lists no required env vars, but SKILL.md and the script both expect GEMINI_API_KEY. The script also declares a dependency on google-genai in comments but the registry/install metadata does not list or install that dependency.
Instruction Scope
Runtime instructions are narrowly scoped: run the provided script via 'uv run', supply a prompt, optional input images, and an output filename. The SKILL.md suggests storing GEMINI_API_KEY either in an env var or in ~/.clawdbot/clawdbot.json (the script itself uses the env var), which is a minor inconsistency but not malicious. The script only reads user-specified input image files and writes the output MP4; it sends data to Google's Veo service (expected for this purpose).
Install Mechanism
No install spec is provided (instruction-only plus a script), which lowers install risk but also leaves dependencies undeclared at the registry level. The script comments indicate dependency on google-genai, but there is no automatic install step or guidance to install that package beyond requiring the 'uv' binary. This is an operational gap rather than an obvious security issue.
Credentials
The only secret required in practice is a single GEMINI_API_KEY (Google API key) which is proportionate to calling Veo. However, the registry summary omitted this env var while SKILL.md requires it, creating an inconsistency the user should note. The SKILL.md suggestion to place the key in ~/.clawdbot/clawdbot.json is a convenience suggestion; the script itself reads the environment variable, not that file.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or global agent settings, and does not install background services. It only writes the generated video file to a user-specified path.
Assessment
This skill appears to do what it says: generate video via Google's Veo API. Before installing or running it, consider the following:
- You must provide a valid GEMINI_API_KEY (Google API key) in your environment; the registry metadata omitted this requirement, so set the env var GEMINI_API_KEY yourself. The script does not automatically read ~/.clawdbot/clawdbot.json despite the SKILL.md mentioning that path.
- Install the python dependency google-genai (the script comments list it) and ensure you have the 'uv' runner available. The skill has no install step, so dependency setup is your responsibility.
- The script will send your prompt and any provided images to Google's servers; do not use sensitive imagery or prompts you do not want transmitted externally.
- The package author and homepage are unknown; if you require higher assurance, review the google-genai library being installed (verify its source/version) and inspect the script locally before running. Run in an isolated environment if you have security concerns.
- If you want the registry to be accurate, ask the publisher to declare GEMINI_API_KEY in the registry requires.env and to add an install spec or explicit dependency instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk973tax90j73gm27kqhkvqpy8d810xja
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsuv