ClawHub
Back to skill
v1.0.0

Veo 3.1

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

The artifacts show a purpose-aligned NanoPhoto video-generation skill, but it needs a NanoPhoto API key and sends prompts/public image URLs to NanoPhoto, which can use account credits.

GuidanceThis skill appears coherent for NanoPhoto Veo 3.1 generation. Install it only if you are comfortable giving it a NanoPhoto API key, sending the requested prompts or public image URLs to NanoPhoto, and spending the associated service credits.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
references/api.md
| `720p` | per shot | 10 | ... | `4k` | single-shot only | 30 |

The documented API consumes credits by resolution and shot count. This is core to video generation, but users should notice the cost-bearing action before submitting jobs.

User impactSubmitting a generation task can spend NanoPhoto credits, especially for multiple shots or higher resolutions.
RecommendationConfirm shot count, resolution, and expected credit use before submission; keep 720p as the default unless higher resolution is intentionally requested.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/veo_3_1.py
return explicit_api_key or os.environ.get(ENV_KEY_NAME) or load_api_key_from_openclaw_config()

The script uses a NanoPhoto API key and can read the skill-scoped key from environment/config fallback. This is expected for the service integration, but it is still account credential access.

User impactAnyone installing it must trust the skill with a NanoPhoto API key that may access the account and spend available service credits.
RecommendationUse the platform’s secure environment setting, avoid passing the key in chat or command-line history, and revoke or rotate the key if you no longer trust the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/veo_3_1.py
payload = build_generate_payload(args)
    return post_json(GENERATE_URL, api_key, payload, args.timeout, args.user_agent)

The script posts the generation payload, including prompts and any imageUrls, to the NanoPhoto API. This external provider flow is disclosed and purpose-aligned.

User impactPrompts and referenced public image URLs leave the local environment and are processed by NanoPhoto.
RecommendationOnly submit prompts and image URLs you are comfortable sharing with NanoPhoto, and do not use private or sensitive images as public URLs.