ClawHub

Veo Video Generator

v1.2.2

Generates high-fidelity 1080p videos with synced audio using Google Veo 3.1. Use for creating cinematic clips from text descriptions.

2· 585·1 current·1 all-time
byKenneth Gerald Hamilton@kghamilton89
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binaries (node, npm), dependency (@google/genai) and the single required env var (GEMINI_API_KEY) all match the stated purpose of calling Google's Veo/GenAI video API.
Instruction Scope
SKILL.md instructs npm install and to invoke generate.js with an argv array (execFile-style). The included generate.js only uses process.env for GEMINI_API_KEY, sends the prompt to the Google GenAI SDK, polls for the operation, downloads the generated video to a local .mp4, and does not read arbitrary local files or transmit data to non-Google endpoints. The script also contains a shell-metacharacter rejection guard as defense-in-depth.
Install Mechanism
Installation is via npm (npm install). package-lock.json points to registry.npmjs.org packages (no unusual download URLs or ad-hoc extracts), which is a standard, traceable install mechanism — moderate risk typical of npm packages.
Credentials
Only GEMINI_API_KEY is required (declared as primaryEnv). The SDK notes it may also accept GOOGLE_API_KEY, but no unrelated secrets or extraneous credentials are requested.
Persistence & Privilege
Skill is not forced-always; it is user-invocable and can be invoked autonomously (platform default). It does not request persistent agent-wide privileges or modify other skills/configs.
Assessment
This skill is internally consistent for generating videos via Google's GenAI SDK, but before installing: 1) Confirm you're comfortable providing GEMINI_API_KEY (it will be sent to Google's APIs and may incur billing). 2) Review and trust @google/genai from npm (package-lock uses registry.npmjs.org, which is normal). 3) Note the repository/source and homepage are missing — consider running npm install and the script in an isolated environment (or inspect the installed node modules) before granting keys. 4) The script writes generated .mp4 files into the workspace — ensure storage and privacy policies are acceptable. 5) If you use an alternate Google credential (GOOGLE_API_KEY), be aware the SDK may accept it; provide only the least-privilege key needed. If you want higher assurance, ask the publisher for a repository/homepage and a signed release or run the code in a sandboxed container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97883v6wx551xvc407rezvqsh81xayr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Binsnode, npm
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY

Comments