Back to skill

Security audit

kling

Security checks across malware telemetry and agentic risk

Overview

This is a narrow RunAPI/Kling video-generation helper that uses a disclosed external CLI and expected authentication, with no hidden scripts or unrelated behavior found.

Install this only if you intend to use RunAPI for Kling video generation. Expect prompts, request JSON, and any supplied media to be sent to RunAPI/Kling, and expect the agent to use your RunAPI login or RUNAPI_API_KEY if available; avoid sending secrets or sensitive personal data unless intended and review the Homebrew tap, provider billing, and data policies first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs the agent to authenticate with a RunAPI API key or saved CLI credentials and to invoke an external video-generation service, but it does not explicitly warn that user prompts, media inputs, and metadata may be transmitted off-platform. In an agent setting, this omission can lead to inadvertent disclosure of sensitive data or unsafe credential handling because operators may not realize the command sends data to a third-party service and relies on stored auth state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.