Back to skill

Security audit

Kling AI

Security checks across malware telemetry and agentic risk

Overview

This skill coherently integrates with Kling AI, but users should understand it can use account credentials, upload selected media, spend generation quota, and delete Kling subjects when asked.

Install only if you intend to connect this agent to a Kling account. Verify the publisher/source despite the 'official' wording, use a trusted machine, protect or revoke stored credentials if needed, and ask the agent to list and confirm subject IDs before deleting or running costly generation jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete action immediately submits a destructive API request using the provided element ID and then reports success, with no confirmation prompt, dry-run mode, or additional safeguard. In an agent/CLI context where arguments may be composed automatically or copied from prior output, this increases the chance of accidental permanent deletion of user-created subjects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.