Veo

PassAudited by ClawScan on May 1, 2026.

Overview

This skill coherently generates Google Veo videos, but users should notice it uses a Gemini API key, sends prompts and optional images to Google, and resolves a Python dependency through uv.

This looks reasonable for a Google Veo video-generation skill. Before using it, be comfortable providing a Gemini API key, sending prompts and any selected images to Google, and allowing uv to resolve the google-genai dependency; consider using a dedicated key with quota limits.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Using the skill can consume Google Gemini/Veo quota or billing associated with the configured API key.

Why it was flagged

The skill requires a Google/Gemini credential to call Veo. That is expected for this purpose, but users should notice the credential use, especially because the registry metadata lists no required env vars or primary credential.

Skill content

API key
- `GEMINI_API_KEY` env var (preferred)
- Or set `skills."veo".env.GEMINI_API_KEY` in `~/.clawdbot/clawdbot.json`

Recommendation

Use a Gemini API key intended for this purpose, apply quota or billing limits where possible, and avoid sharing the key outside the configured environment.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The behavior of the skill depends partly on the google-genai package version resolved at runtime.

Why it was flagged

The uv script declares an external Python package with a broad version range and no lockfile in the provided artifacts. This is normal for a small integration, but it means future runs may resolve newer dependency versions.

Skill content

# dependencies = [
#     "google-genai>=1.0.0",
# ]

Recommendation

Prefer a pinned dependency or reviewed lockfile if reproducibility or supply-chain control is important.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Prompts and any selected input images may leave the local environment and be processed by Google.

Why it was flagged

The script sends the user prompt, and optional local input image bytes, to Google's video-generation API. This is core to the stated purpose, but it crosses a provider data boundary.

Skill content

with open(image_path, "rb") as f:
    image_data = f.read()
...
operation = client.models.generate_videos(
    model=args.model,
    prompt=args.prompt,

Recommendation

Only provide prompts and images you are comfortable sending to Google, and check the applicable Google API data-use terms for sensitive content.