Veo 3.1
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts show a purpose-aligned NanoPhoto video-generation skill, but it needs a NanoPhoto API key and sends prompts/public image URLs to NanoPhoto, which can use account credits.
This skill appears coherent for NanoPhoto Veo 3.1 generation. Install it only if you are comfortable giving it a NanoPhoto API key, sending the requested prompts or public image URLs to NanoPhoto, and spending the associated service credits.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it must trust the skill with a NanoPhoto API key that may access the account and spend available service credits.
The script uses a NanoPhoto API key and can read the skill-scoped key from environment/config fallback. This is expected for the service integration, but it is still account credential access.
return explicit_api_key or os.environ.get(ENV_KEY_NAME) or load_api_key_from_openclaw_config()
Use the platform’s secure environment setting, avoid passing the key in chat or command-line history, and revoke or rotate the key if you no longer trust the skill.
Submitting a generation task can spend NanoPhoto credits, especially for multiple shots or higher resolutions.
The documented API consumes credits by resolution and shot count. This is core to video generation, but users should notice the cost-bearing action before submitting jobs.
| `720p` | per shot | 10 | ... | `4k` | single-shot only | 30 |
Confirm shot count, resolution, and expected credit use before submission; keep 720p as the default unless higher resolution is intentionally requested.
Prompts and referenced public image URLs leave the local environment and are processed by NanoPhoto.
The script posts the generation payload, including prompts and any imageUrls, to the NanoPhoto API. This external provider flow is disclosed and purpose-aligned.
payload = build_generate_payload(args)
return post_json(GENERATE_URL, api_key, payload, args.timeout, args.user_agent)Only submit prompts and image URLs you are comfortable sharing with NanoPhoto, and do not use private or sensitive images as public URLs.