Veo Video Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: veo-video-generator Version: 1.2.2 The skill bundle is designed to generate videos using Google Veo. Both the `SKILL.md` instructions and the `generate.js` code demonstrate strong security awareness, explicitly warning against and implementing defenses for shell injection vulnerabilities by requiring argument array invocation and performing input sanitization against shell metacharacters. There is no evidence of data exfiltration, unauthorized execution, persistence, or other malicious behaviors. The dependencies listed in `package.json` and `package-lock.json` are standard for the Google GenAI SDK.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may consume Google/Gemini API quota or incur costs, and prompts are sent to Google for generation.
The skill uses the user-provided Gemini API key to call Google GenAI, which is necessary for the stated video-generation purpose but grants access to the user’s provider account.
const apiKey = process.env.GEMINI_API_KEY; ... const ai = new GoogleGenAI({ apiKey });Use a Gemini API key with appropriate limits and avoid putting secrets or private information in video prompts unless you are comfortable sending them to Google.
Installing the skill fetches third-party npm dependencies into the environment.
The skill depends on npm packages before use. This is expected for a Node-based Google API integration, and package-lock.json includes pinned resolved packages and integrity data, but dependency installation is still a supply-chain surface.
The agent must run `npm install` once before the first execution to fetch dependencies.
Review the package.json/package-lock.json if dependency provenance matters, and install only in an environment where npm package installation is acceptable.