ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kling Video

v1.0.0

Generate AI videos with Kuaishou Kling via AceDataCloud API. Use when creating videos from text or images, extending existing videos, or applying motion cont...

0· 56·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (generate videos via AceDataCloud Kling) matches the curl examples and endpoints in SKILL.md, so capabilities align; however the published registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly states 'Requires ACEDATACLOUD_API_TOKEN'. That manifest/metadata omission is an incoherence and should be fixed before trusting the skill.
Instruction Scope
SKILL.md contains concrete HTTP examples and parameter definitions limited to the stated API endpoints (POST to api.acedata.cloud). It does not instruct reading unrelated local files. Note: the documented 'callback_url' parameter can be set to arbitrary endpoints by the caller; if an agent or user supplies an attacker-controlled callback, uploaded/generated media or task results could be sent to a third-party URL.
Install Mechanism
Instruction-only skill with no install steps or downloaded code — lowest install risk.
!
Credentials
The runtime instructions require ACEDATACLOUD_API_TOKEN, which is proportional for API access, but the skill registry metadata did not declare this required environment variable or a primary credential. The missing declaration reduces transparency and prevents proper permission review.
Persistence & Privilege
No special persistence requested (always:false). Default autonomous invocation is allowed (platform default) but the skill does not request persistent system-wide changes or access to other skills' config.
What to consider before installing
This skill appears to be a straightforward instruction-only wrapper for AceDataCloud's Kling API, but the published metadata omits the required ACEDATACLOUD_API_TOKEN—ask the publisher to update the manifest to declare that primary credential before installing. Treat any token you provide as sensitive: use least-privilege or short-lived credentials if possible. Be cautious with the callback_url parameter: if you allow the agent to set arbitrary callback URLs, results or uploaded media could be sent to third-party endpoints. Verify the API domain (api.acedata.cloud), the skill owner identity, and any privacy/terms for uploading video content before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fz9c3rp1ma5vafqpq1vba5583dz90

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments