Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Veo
v0.1.5Generate videos with Google Veo models via inference.sh CLI. Models: Veo 3.1, Veo 3.1 Fast, Veo 3, Veo 3 Fast, Veo 2. Capabilities: text-to-video, cinematic...
⭐ 2· 1.2k·2 current·2 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: all examples and commands use the inference.sh CLI to run Google Veo apps. Nothing in the SKILL.md asks for unrelated cloud providers, binaries, or services.
Instruction Scope
Instructions are narrowly scoped to installing/running the inference.sh CLI and invoking specific 'infsh app run' commands. The SKILL.md does not instruct reading arbitrary system files or unrelated environment variables.
Install Mechanism
The SKILL.md recommends piping an installer from https://cli.inference.sh (curl -fsSL https://cli.inference.sh | sh). That is a network-downloaded installer from a third-party domain (not e.g., a traced GitHub release URL). Although the doc claims checksum verification is available, directing users/agents to run a remote install script (and to download binaries from dist.inference.sh) is higher-risk and should be validated manually before execution.
Credentials
The skill declares no required env vars, but the instructions call 'infsh login', which implies credential creation/storage and network-transmitted tokens. The registry metadata doesn't document what credentials the CLI will request or how tokens are stored — a gap between declared requirements and runtime behavior that could lead to unexpected credential handling.
Persistence & Privilege
The skill does not request always: true and has no install spec that writes files under the skill system. It does rely on an external CLI which may persist its own credentials/config, but the skill itself does not claim elevated or persistent platform privileges.
What to consider before installing
This skill appears to do what it says (invoke Google Veo models via inference.sh), but exercise caution before installing or letting an agent run the suggested installer automatically. Specifically:
- Do not blindly run 'curl https://cli.inference.sh | sh' — prefer manually downloading the binary from a verified release page and checking the SHA-256 checksums the SKILL.md references.
- Understand what 'infsh login' will do: it likely creates API tokens and persists them locally; find the CLI's docs or source to see where credentials are stored and what scopes are granted.
- Verify the publisher/domain (inference.sh, dist.inference.sh) and look for an official project repository, release artifacts, and independent reviews. If no reputable source exists, treat the installer as high risk.
- If you must test: run the installer in an isolated environment (VM/container), avoid running as root, and inspect the downloaded binary and network activity.
- If you need higher assurance, ask the skill author for a canonical, verifiable install URL (e.g., GitHub releases) and explicit documentation of what credentials the CLI requires and how it handles them.
Confidence is medium because the skill is internally coherent but the remote-install pattern and undeclared credential handling are legitimate security concerns that should be resolved before wide use.Like a lobster shell, security has layers — review code before you run it.
latestvk97br52x5013kvkcn6mpk5ye1d81crre
License
MIT-0
Free to use, modify, and redistribute. No attribution required.