Back to skill
Skillv1.0.0
ClawScan security
Veo Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 12:24 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions align with its stated purpose (calling monet.vision to create video tasks) and it only asks for one API key; however the package metadata lacks a homepage/source verification so validate the vendor before use.
- Guidance
- This skill appears coherent: it documents how to call monet.vision and only asks for MONET_API_KEY. Before installing, verify monet.vision is the legitimate service you expect (the package metadata has no homepage/source link). Use a dedicated API key with minimal permissions and billing controls, confirm expected data retention (files reportedly stored 24 hours), and monitor API usage for unexpected calls. If you need vendor assurance, ask the skill author for a homepage or official docs link and confirm any 'Google' branding is accurate.
Review Dimensions
- Purpose & Capability
- noteThe skill describes Google 'Veo' models but the runtime instructions consistently call monet.vision API endpoints and only require MONET_API_KEY — which is coherent for a wrapper around Monet's video API. Minor concern: the registry metadata lists no homepage and source is unknown, and the marketing claim of 'Google' could be overstated; verify that monet.vision is the legitimate provider you expect.
- Instruction Scope
- okSKILL.md is instruction-only and shows concrete curl/fetch examples that use only the declared MONET_API_KEY and standard HTTP endpoints (tasks, files). It does not instruct reading arbitrary local files or unrelated environment variables, nor does it transmit data to unexpected endpoints beyond monet.vision and files.monet.vision.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk risk; nothing is downloaded or executed by an installer.
- Credentials
- okOnly a single environment variable (MONET_API_KEY) is required, which is appropriate for calling a third-party API. No additional secrets, config paths, or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable; it does not request elevated persistence or modify other skills. Autonomous invocation is permitted (platform default) and is not by itself a concern here.