critical
suspicious.env_credential_access
- Location
- kling.js:4
- Finding
- Environment variable access combined with network send.
Kling
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Running the generation commands can use the user's Kie.ai account and may consume credits.
Why it was flagged
The skill uses a Kie.ai API key to authenticate requests. This is necessary for the stated provider integration, but it gives the skill access to the user's Kie.ai account capabilities.
Skill content
const API_KEY = process.env.KIE_API_KEY; ... 'Authorization': `Bearer ${API_KEY}`Recommendation
Only install and run this with a Kie.ai API key you are comfortable using, and monitor credit usage.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Prompts are sent to Kie.ai and video jobs are created on the user's account.
Why it was flagged
The skill can create remote video-generation jobs through the provider API. This is aligned with its purpose, but it is an external account action rather than a local-only operation.
Skill content
const response = await client.post('/jobs/createTask', payload);Recommendation
Review prompts before generating videos, especially if they include confidential campaign, client, or testimonial details.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users have less external information to confirm who maintains the skill or where it originated.
Why it was flagged
The package provenance is not easily verifiable from the provided metadata, even though the included code is small and purpose-aligned.
Skill content
Source: unknown; Homepage: none
Recommendation
Prefer installing from trusted owners or verify the included files before providing an API key.