Is veo safe?

https://clawhub.ai/buddyh/veo

82
SAFE

The veo skill is a straightforward Google Veo video generation wrapper with no prompt injection, no malicious code, and no exfiltration attempts. The primary risks are the unbounded dependency version constraint with auto-install via uv run, and the --input-image parameter which could theoretically be abused to read arbitrary files and send their content to Google's API. The skill's behavior aligns with its stated purpose.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

MEDIUM Unbounded dependency version constraint -15

The inline PEP 723 script specifies google-genai>=1.0.0 with no upper bound. The uv run command will auto-resolve and install this dependency at runtime. If the google-genai package were compromised or a malicious version published, it would be automatically installed without user review.

MEDIUM Runtime dependency installation via uv run -20

The skill uses uv run which combines dependency resolution, installation, and script execution in a single step. Users have no opportunity to review dependencies before they are installed and the script runs.

MEDIUM Input image parameter enables indirect file reading -20

The --input-image flag reads arbitrary files from disk and sends their binary content to Google's API. In an LLM agent context, a crafted prompt or injection could trick the agent into specifying sensitive files (e.g., private keys, config files) as 'input images', effectively exfiltrating their content to Google's servers.

LOW Arbitrary filesystem write via --filename -10

The --filename parameter creates parent directories and writes to the specified path. If the LLM agent passes an unsanitized filename, files could be written to sensitive locations.

LOW API key required in environment -5

The skill requires GEMINI_API_KEY in the environment. This is expected for its function but increases the attack surface if other skills or injections can read environment variables.

INFO Clean SKILL.md with no injection patterns -10

The SKILL.md contains only legitimate usage instructions, standard metadata, and no hidden directives or override attempts.

INFO Platform runtime accessed sensitive files during install -25

During installation, the host platform (not the skill) accessed .env, .aws/credentials, and config files. This is platform behavior, not skill behavior, but worth noting for transparency.