ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Veo3 Video Gen

v1.0.0

Generate and stitch short videos via Google Veo 3.x using the Gemini API (google-genai). Use when you need to create video clips from prompts (ads, UGC-style...

0· 376·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and bundled script clearly require a Gemini API key (GEMINI_API_KEY) and call a Google Veo model via the google-genai SDK; however the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence between what the skill needs and what the package declares.
Instruction Scope
Instructions are narrowly focused on generating video, polling the API, downloading files, optionally extracting last frames and concatenating segments with ffmpeg. The script uses subprocess to call ffmpeg and runs a shell check for binaries — these are expected for this functionality. SKILL.md references storing the key in 'openclaw.json' (second key) which is an unexpected storage hint and should be clarified.
Install Mechanism
This is instruction-only with a bundled Python script. There is no install spec that downloads arbitrary code from an external URL. The script declares dependencies (google-genai, pillow) in a header comment; that is normal for a Python script meant to be run in an environment that installs dependencies.
!
Credentials
The runtime requires GEMINI_API_KEY (or --api-key) to call the Gemini/Veo API which is appropriate for the stated purpose, but the registry metadata omits this required environment variable. The skill also asks users to provide keys and mentions fallback to other skills (Runway) — ensure no additional credential requirements are hidden.
Persistence & Privilege
The skill does not request always:true, system-wide config changes, or other elevated privileges. It reads/writes local files (output MP4s, intermediate PNGs) which is expected for this use.
What to consider before installing
This skill appears to implement Veo/Gemini video generation, but the package metadata failing to declare GEMINI_API_KEY is a red flag. Before installing: (1) confirm the publisher/source and ask them to correct the metadata to list GEMINI_API_KEY as required; (2) run the script in an isolated environment (container/VM) the first time; (3) restrict the GEMINI_API_KEY to minimal billing/quota and rotate it after testing; (4) inspect the full generate_video.py (you have a truncated copy here) to ensure there are no unexpected network endpoints or data-exfiltration steps; (5) ensure ffmpeg and any dependencies are installed from trusted sources. If the source is unknown/untrusted, do not provide production API keys or sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgrb358grsy74gabwmdsgr1823mp2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments