Maverick Google Video Url Analysis

PassAudited by ClawScan on May 13, 2026.

Overview

This skill does what it claims—sends a user-provided public video URL and prompt to Google Gemini—with the main considerations being API key use, Google data sharing, and an optional unpinned Python dependency.

This appears safe to install if you intend to analyze public video URLs with Gemini. Before use, provide a Gemini API key carefully, expect your URL and prompt to be sent to Google, and install the Google GenAI dependency from a trusted source if your environment does not already have it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Using the skill may consume Gemini API quota or incur provider-side costs under the user's API key.

Why it was flagged

The skill requires a Google/Gemini API key. This is expected for calling Gemini, but users should understand they are authorizing use of their Google AI API access.

Skill content

Set an API key: - `MAVERICK_GEMINI_API_KEY` (preferred), or - `MAVERICK_GOOGLE_API_KEY`

Recommendation

Use a scoped Gemini API key where possible, monitor usage, and avoid passing the key on the command line in shared shell histories.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

The video URL and prompt content will be shared with Google Gemini for processing.

Why it was flagged

The script sends the provided video URL and prompt to the Google Gemini API. This external provider data flow is disclosed and central to the skill's purpose.

Skill content

types.Part(file_data=types.FileData(file_uri=args.video_url)),
                types.Part(text=args.prompt),
...
response = client.models.generate_content(model=args.model, contents=contents)

Recommendation

Use only public video URLs as instructed, and do not include confidential information in prompts unless acceptable under the provider's terms and your data policy.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may install a package version that changes over time, which can affect reproducibility or dependency risk.

Why it was flagged

If the dependency is missing, the script directs users to install an unpinned package. This is a normal integration dependency, but the artifact does not pin a version or provide an install spec.

Skill content

"Missing dependency 'google-genai'. Install it with: pip install google-genai"

Recommendation

Install google-genai from the official package source in a controlled environment and consider pinning a known-good version.