ClawHub

Kling Image Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Kling image-generation helper that sends user-provided prompts and image references to Kling’s API, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install only if you are comfortable sending the prompts, image inputs or image URLs, callback URLs, and task metadata you provide to Kling’s API. Keep the Kling API keys private, consider using a dedicated or limited key, and install the Python dependencies in a virtual environment with pinned versions if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs use of environment variables for API credentials and multiple scripts that call an external service, but the skill does not declare corresponding env/network permissions. Undeclared sensitive capabilities reduce transparency and policy enforcement, increasing the chance that credentials or outbound access are used without proper review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-provided image data, prompts, and optional callback metadata to a third-party remote API, but it does not provide a clear consent or disclosure step at the point of use. In a skill context, users may supply sensitive images or prompts without realizing that this data leaves the local environment and is processed by an external service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends prompts, optional images, and callback metadata to an external cloud API, but there is no explicit consent notice or warning at execution time. In an agent-skill context, users may not realize that potentially sensitive text or image content is leaving the local environment and being processed by a third party.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends prompts, image URLs/references, optional element IDs, and an optional callback URL to a third-party API without any explicit consent notice or user-facing disclosure at runtime. In an agent-skill context, this can surprise users and lead to unintended sharing of sensitive prompts, internal image URLs, or operational endpoint details.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
PyJWT>=2.8.0
cryptography>=41.0.0
Confidence
96% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
PyJWT>=2.8.0
cryptography>=41.0.0
Confidence
96% confidence
Finding
PyJWT>=2.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
PyJWT>=2.8.0
cryptography>=41.0.0
Confidence
95% confidence
Finding
cryptography>=41.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
requests

Known Vulnerable Dependency: PyJWT — 8 advisory(ies): CVE-2026-32597 (PyJWT accepts unknown `crit` header extensions); CVE-2024-53861 (PyJWT Issuer field partial matches allowed); CVE-2022-29217 (Key confusion through non-blocklisted public key formats) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
PyJWT

Known Vulnerable Dependency: cryptography — 10 advisory(ies): GHSA-39hc-v87j-747x (Vulnerable OpenSSL included in cryptography wheels); CVE-2023-50782 (Python Cryptography package vulnerable to Bleichenbacher timing oracle attack); GHSA-5cpq-8wj7-hf2v (Vulnerable OpenSSL included in cryptography wheels) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
cryptography

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal