ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kling Image Generate

v1.0.1

可灵AI图像生成API工具。支持文生图、图生图、多图参考生成、图像Omni、扩图等功能。使用环境变量KLING_ACCESS_KEY和KLING_SECRET_KEY进行鉴权。当用户需要生成AI图像、图片编辑、图像扩展等任务时使用此技能。

0· 69·0 current·0 all-time
byumrjs@umrzcz-831
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement a client for the Kling AI image API (text->image, image->image, omni, expansion). The requested credentials (KLING_ACCESS_KEY, KLING_SECRET_KEY) and dependencies (requests, JWT libraries) are coherent with that purpose. However, registry metadata lists no required env vars/primary credential while the SKILL.md and all scripts clearly require the two KLING_* environment variables — this metadata mismatch is an inconsistency to be aware of.
Instruction Scope
SKILL.md instructs users to set the two KLING_* env vars and run included Python scripts; the scripts only call the documented api-beijing.klingai.com endpoints and do not attempt to read unrelated system files or other credentials. One operational note: the scripts accept an optional callback_url parameter (which will be invoked by the remote service) — if you supply a third-party callback URL you could direct generated results to an external endpoint, so treat callback_url as a potential exfil vector if misused.
Install Mechanism
No install specification is included (instruction- + script bundle). The included requirements.txt (requests, PyJWT, cryptography) matches the code's usage. There are no external downloads or obscure install URLs in the package.
!
Credentials
The skill requires KLING_ACCESS_KEY and KLING_SECRET_KEY for JWT authentication — this is appropriate and necessary for the stated API calls. The concern is that the package/registry metadata omitted these required env variables (declared as 'none'), which is an internal inconsistency and could mislead less-technical users into installing without supplying keys. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and does not modify other skills or system-wide configuration. It runs as user-invoked scripts and has normal, limited privileges.
What to consider before installing
Before installing: (1) Note that the package requires KLING_ACCESS_KEY and KLING_SECRET_KEY (the registry metadata incorrectly omitted them) — only provide keys you trust and consider using a dedicated/limited account. (2) Confirm you trust the API host api-beijing.klingai.com and are comfortable the service will receive JWT-authenticated requests. (3) Avoid supplying an untrusted callback_url (it can cause results to be posted to an external endpoint). (4) Install dependencies in an isolated environment (virtualenv) and review the scripts yourself; if you later suspect key leakage, rotate the keys. If you want higher assurance, ask the publisher for a homepage or source repo and a corrected metadata entry that lists the required env vars.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfy36tbgpc7xn1p1ndvpqt1838280

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments