← 返回 Skills 市场
Veo
作者
Buddy Hadry
· GitHub ↗
· v1.3.0
6350
总下载
1
收藏
23
当前安装
4
版本数
在 OpenClaw 中安装
/install veo
功能描述
Generate video using Google Veo (Veo 3.1 / Veo 3.0).
安全使用建议
Install only if you are comfortable sending selected prompt text and reference-image files to Google's Veo/Gemini API. Do not let untrusted prompts choose --input-image paths, and avoid using that option unless you have verified the file is a non-sensitive image.
功能分析
Type: OpenClaw Skill
Name: veo
Version: 1.3.0
The skill's primary purpose is legitimate video generation using Google's Veo API. However, the `scripts/generate_video.py` script is suspicious due to a local file disclosure vulnerability. It accepts `--input-image` arguments, reads the content of the specified files, and sends these raw bytes to the Google Veo API as `imageBytes`. While intended for image files, there is no content validation, meaning an attacker could potentially use prompt injection against the OpenClaw agent to provide paths to sensitive local files (e.g., `~/.ssh/id_rsa`, `/etc/passwd`), leading to their content being read and exfiltrated to Google's API.
能力评估
Purpose & Capability
The core purpose is coherent: it generates videos through Google's Veo API, uses a Gemini API key, and saves an MP4 output file. The script also supports reference-image upload, which fits image-to-video generation but expands local file access.
Instruction Scope
The top-level skill instructions do not clearly list the --input-image option, while the script accepts it and sends file contents to the external API. There is no evidence of prompt override or hidden agent-control instructions.
Install Mechanism
The artifact consists of SKILL.md and one Python script using uv inline dependencies for google-genai. No install hook, remote bootstrap script, or unexpected package-install behavior was found.
Credentials
The script reads each user-supplied --input-image path as raw bytes and passes it as imageBytes to Google, with only existence and count checks. It does not validate image content, size, or path scope, so a mistaken or prompt-injected path could disclose unrelated local files.
Persistence & Privilege
No persistence, privilege escalation, background worker, credential harvesting, or destructive behavior was found. It creates output directories and writes the requested video file, which is expected for the stated purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install veo - 安装完成后,直接呼叫该 Skill 的名称或使用
/veo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
Simplify metadata: remove nested tags, flatten structure
v1.1.0
Fixed metadata: declare GEMINI_API_KEY as required env var; removed --api-key option from docs (not implemented in script)
v1.0.1
Remove extra frontmatter (homepage, metadata)
v1.0.0
Initial release - Google Veo video generation (Veo 3.1/3.0/2.0 support, aspect ratios, MEDIA: output for chat attachment)
元数据
常见问题
Veo 是什么?
Generate video using Google Veo (Veo 3.1 / Veo 3.0). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 6350 次。
如何安装 Veo?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install veo」即可一键安装,无需额外配置。
Veo 是免费的吗?
是的,Veo 完全免费(开源免费),可自由下载、安装和使用。
Veo 支持哪些平台?
Veo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Veo?
由 Buddy Hadry(@buddyh)开发并维护,当前版本 v1.3.0。
推荐 Skills