Google Veo
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can call the inference.sh CLI for video generation workflows, so users should review prompts and commands that may use their account.
The skill authorizes the agent to invoke the external `infsh` CLI broadly rather than only a single fixed Veo command. This is aligned with the stated purpose but is worth noticing because those commands run through the user's configured CLI account.
allowed-tools: Bash(infsh *)
Keep use limited to the documented Veo commands and review any generated `infsh` command before approving it if the action could affect your account.
Video generation commands will operate under the logged-in inference.sh account.
`infsh login` indicates the CLI will be connected to an external account. That is expected for this provider integration, but the registry metadata does not declare a primary credential.
curl -fsSL https://cli.inference.sh | sh && infsh login
Log in only with the account you intend to use, understand what access that account grants, and revoke or rotate the session if you stop using the skill.
Installing the CLI requires trusting the inference.sh download and installer path.
The quick start asks the user to execute a remotely downloaded installer. The artifact discloses checksum verification and says there are no elevated permissions or background processes, but the installer itself is external to the provided skill artifacts.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the manual install and checksum verification option if possible, and install only if you trust the inference.sh source.
Prompts or input files used for generation may be processed by external services.
The documented workflow sends prompt input to an external model service through the inference.sh CLI. This is expected for cloud video generation but means prompt data leaves the local environment.
infsh app run google/veo-3-1-fast --input '{"prompt": "drone shot over a mountain lake"}'Avoid including sensitive personal, confidential, or proprietary information in prompts unless you are comfortable with the provider's data handling terms.