🫧 Kling 3.0 — Pro Pack on RunComfy
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generation request may incur charges, especially for longer, audio-enabled, Pro, or 4K outputs.
The skill can invoke RunComfy CLI endpoints that are explicitly priced, so use is purpose-aligned but can spend RunComfy credits or money.
Calls runcomfy run kling/kling-3.0/<tier>/<mode> through the local RunComfy CLI ... Rate ... $0.42/s flat
Confirm the tier, duration, audio setting, and approximate cost before running generations; use provider spending limits where available.
Anyone or any agent using the token can submit RunComfy jobs under the user's account and potentially consume paid credits.
The skill requires a RunComfy account credential or token, which is expected for the service but gives the agent delegated access to that account.
RunComfy account: `runcomfy login` opens a browser device-code flow. ... set `RUNCOMFY_TOKEN=<token>`
Use a dedicated or least-privileged token if possible, avoid exposing it in chat or logs, and revoke or rotate it if no longer needed.
Installing or updating the CLI runs software from the npm ecosystem on the user's machine.
The prerequisite uses a global npm-installed CLI. This is central to the skill's purpose, but it depends on an external package source not bundled in the skill.
RunComfy CLI: `npm i -g @runcomfy/cli`
Install the CLI only from the official package/source, consider pinning a version in controlled environments, and keep normal npm supply-chain safeguards in place.
Private images, faces, product shots, or confidential prompts could be exposed to the hosting location and the video-generation provider.
Image-to-video workflows require a URL that RunComfy/Kling can fetch, meaning source images and prompts are shared outside the local agent environment.
For i2v endpoints: a publicly fetchable source image URL (HTTPS, JPEG/PNG/WebP).
Use non-sensitive inputs or controlled, expiring URLs, and review RunComfy/Kling data handling policies before submitting confidential material.