Trust Assessment
veo received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Arbitrary file write due to unsanitized filename, Disclosure of arbitrary file path after write operation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/buddyh/veo/SKILL.md:19 | |
| HIGH | Arbitrary file write due to unsanitized filename The `generate_video.py` script uses the user-provided `--filename` argument directly to construct a file path for saving the generated video. This allows for path traversal attacks (e.g., `../../../../tmp/evil.mp4`), enabling an attacker to write files to arbitrary locations on the filesystem. This could lead to overwriting existing files, creating files in sensitive directories, or filling up disk space, potentially causing denial of service or system instability. Sanitize the `filename` argument to ensure it does not contain path traversal sequences. Restrict the output path to a designated, sandboxed directory. For example, use `Path(base_output_dir) / Path(args.filename).name` to ensure the file is always saved within `base_output_dir` and only the base name of the user-provided filename is used. | LLM | scripts/generate_video.py:49 | |
| MEDIUM | Disclosure of arbitrary file path after write operation Following a successful video generation and save operation, the script prints the full path of the saved file using `MEDIA: {output_path}`. If an attacker exploits the path traversal vulnerability (SS-PERM-001) to write a file to an arbitrary location, this output line will confirm the success of the write and disclose the absolute path to that location. This provides valuable information about the filesystem structure and confirms the success of the arbitrary file write, which can aid further exploitation. Implement the remediation for SS-PERM-001 to prevent writing to arbitrary locations. By restricting the output path to a safe, sandboxed directory, the disclosure of the path within that controlled environment becomes a significantly lower risk. | LLM | scripts/generate_video.py:77 |
Scan History
Embed Code
[](https://skillshield.io/report/30049344fb146f93)
Powered by SkillShield