Cinematic Kling

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends selected images to ComfyDeploy/Kling to generate a short video, with the main risk being third-party handling of those images.

Install only if you are comfortable sending the chosen character, item, and location images to ComfyDeploy/S3 for processing. Avoid private, biometric, confidential, or third-party images unless you have permission and accept the provider's handling terms. Use a dedicated ComfyDeploy API key where possible and monitor API usage or costs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs users to upload user-provided images to ComfyDeploy storage, which is a third-party service, but provides no consent flow, privacy notice, retention policy, or warning about external processing. Because the inputs may contain faces, products, locations, or other sensitive content, this creates a real data-handling and privacy risk rather than a purely informational external call.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal