← Back to Skills Marketplace
Veo
by
Buddy Hadry
· GitHub ↗
· v1.3.0
6350
Downloads
1
Stars
23
Active Installs
4
Versions
Install in OpenClaw
/install veo
Description
Generate video using Google Veo (Veo 3.1 / Veo 3.0).
Usage Guidance
Install only if you are comfortable sending selected prompt text and reference-image files to Google's Veo/Gemini API. Do not let untrusted prompts choose --input-image paths, and avoid using that option unless you have verified the file is a non-sensitive image.
Capability Analysis
Type: OpenClaw Skill
Name: veo
Version: 1.3.0
The skill's primary purpose is legitimate video generation using Google's Veo API. However, the `scripts/generate_video.py` script is suspicious due to a local file disclosure vulnerability. It accepts `--input-image` arguments, reads the content of the specified files, and sends these raw bytes to the Google Veo API as `imageBytes`. While intended for image files, there is no content validation, meaning an attacker could potentially use prompt injection against the OpenClaw agent to provide paths to sensitive local files (e.g., `~/.ssh/id_rsa`, `/etc/passwd`), leading to their content being read and exfiltrated to Google's API.
Capability Assessment
Purpose & Capability
The core purpose is coherent: it generates videos through Google's Veo API, uses a Gemini API key, and saves an MP4 output file. The script also supports reference-image upload, which fits image-to-video generation but expands local file access.
Instruction Scope
The top-level skill instructions do not clearly list the --input-image option, while the script accepts it and sends file contents to the external API. There is no evidence of prompt override or hidden agent-control instructions.
Install Mechanism
The artifact consists of SKILL.md and one Python script using uv inline dependencies for google-genai. No install hook, remote bootstrap script, or unexpected package-install behavior was found.
Credentials
The script reads each user-supplied --input-image path as raw bytes and passes it as imageBytes to Google, with only existence and count checks. It does not validate image content, size, or path scope, so a mistaken or prompt-injected path could disclose unrelated local files.
Persistence & Privilege
No persistence, privilege escalation, background worker, credential harvesting, or destructive behavior was found. It creates output directories and writes the requested video file, which is expected for the stated purpose.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install veo - After installation, invoke the skill by name or use
/veo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
Simplify metadata: remove nested tags, flatten structure
v1.1.0
Fixed metadata: declare GEMINI_API_KEY as required env var; removed --api-key option from docs (not implemented in script)
v1.0.1
Remove extra frontmatter (homepage, metadata)
v1.0.0
Initial release - Google Veo video generation (Veo 3.1/3.0/2.0 support, aspect ratios, MEDIA: output for chat attachment)
Metadata
Frequently Asked Questions
What is Veo?
Generate video using Google Veo (Veo 3.1 / Veo 3.0). It is an AI Agent Skill for Claude Code / OpenClaw, with 6350 downloads so far.
How do I install Veo?
Run "/install veo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Veo free?
Yes, Veo is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Veo support?
Veo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Veo?
It is built and maintained by Buddy Hadry (@buddyh); the current version is v1.3.0.
More Skills