Kling
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kling Version: 1.0.0 The skill is designed to generate AI videos via the Kie.ai API. It correctly reads the `KIE_API_KEY` environment variable for authentication, as documented in `SKILL.md`. The `kling.js` script only makes network requests to the specified `https://api.kie.ai` endpoint and does not attempt to access sensitive files, execute arbitrary commands, or exfiltrate data. The `SKILL.md` instructions are clear and do not contain any prompt injection attempts against the OpenClaw agent. Dependencies listed in `package.json` and `package-lock.json` are standard and widely used (axios).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the generation commands can use the user's Kie.ai account and may consume credits.
The skill uses a Kie.ai API key to authenticate requests. This is necessary for the stated provider integration, but it gives the skill access to the user's Kie.ai account capabilities.
const API_KEY = process.env.KIE_API_KEY; ... 'Authorization': `Bearer ${API_KEY}`Only install and run this with a Kie.ai API key you are comfortable using, and monitor credit usage.
Prompts are sent to Kie.ai and video jobs are created on the user's account.
The skill can create remote video-generation jobs through the provider API. This is aligned with its purpose, but it is an external account action rather than a local-only operation.
const response = await client.post('/jobs/createTask', payload);Review prompts before generating videos, especially if they include confidential campaign, client, or testimonial details.
Users have less external information to confirm who maintains the skill or where it originated.
The package provenance is not easily verifiable from the provided metadata, even though the included code is small and purpose-aligned.
Source: unknown; Homepage: none
Prefer installing from trusted owners or verify the included files before providing an API key.