Is kghamilton89/veo-video-generator safe?

https://github.com/openclaw/skills/tree/main/skills/kghamilton89/veo-video-generator

87
SAFE

This is a legitimate video generation skill that uses Google's Veo 3.1 API to create videos from text prompts. The main privacy consideration is that user prompts are sent to an external API service, but this is disclosed and necessary for the skill's functionality. The code is clean with no evidence of malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM User prompts sent to external API -20

The skill sends user-provided text prompts to Google's GenAI API for video generation. While this is the intended functionality, it represents a potential privacy concern as user data leaves the local environment.

LOW Requires npm package installation -5

The skill requires running 'npm install' to download the @google/genai dependency, which involves executing package installation scripts.

LOW Instructions to execute shell commands -5

The skill instructions direct the agent to run shell commands (npm install, node generate.js), though these are legitimate for the skill's functionality.

INFO Environment variable access -10

The skill reads the GEMINI_API_KEY environment variable, which is expected for API authentication but represents access to potentially sensitive configuration.