ClawHub

Kling Ai Video

Security checks across malware telemetry and agentic risk

Overview

This cloud video-generation skill appears purpose-aligned, but it can send prompts, media, and session data to a third-party backend with broad routing and limited user-facing disclosure.

Install only if you are comfortable with prompts, uploaded images/videos/audio, session identifiers, and render metadata being sent to mega-api-prod.nemovideo.ai. Use it only for explicit video-generation tasks, avoid sensitive or regulated media, and keep NEMO_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation examples are broad enough that ordinary user phrases like 'generate my text prompts or images' or 'export 1080p MP4' could activate the skill unintentionally. In a skill that uploads user content and talks to a remote backend, accidental activation can cause unintended transmission of prompts or files and unexpected credit consumption.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table contains a catch-all rule that sends 'Everything else' to SSE processing, which is effectively an overbroad activation path. Because SSE appears to drive editing/generation actions against the backend, ambiguous prompts may be interpreted as operational commands and forwarded externally without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill says rendering happens server-side, but it does not prominently warn users that their prompts, uploaded files, and session data are transmitted to a third-party backend service. This is a meaningful privacy and data-handling issue because users may provide sensitive images, videos, or text without informed consent about remote processing.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill silently uses NEMO_TOKEN from the environment or automatically acquires an anonymous token, but does not disclose this credential behavior to the user. While not a direct exploit by itself, hidden credential use can surprise users, obscure billing/attribution effects, and make it harder to understand why requests are being authenticated to a remote service.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The session creation body hardcodes 'language':'en', forcing user interactions into English without consent or language detection. This can cause mistranslation, incorrect prompt handling, or privacy/compliance issues for multilingual users if their content is processed under the wrong locale assumptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal