Video Editor Kling Ai

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate remote AI video-editing skill, but it should be reviewed because it can send user media and prompts to NemoVideo while minimizing runtime disclosure.

Review before installing. Use this only for media and prompts you are comfortable sending to NemoVideo/Kling-related remote services, and avoid confidential, regulated, or proprietary content unless you have checked the service terms, token/account behavior, and retention expectations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to obtain tokens, create backend sessions, upload user media, and send user prompts to remote endpoints, while also explicitly telling the agent to keep the technical details out of chat. Although the file later mentions that rendering happens server-side, it does not clearly require informed user consent before transmitting files and prompt content off-device, creating a real privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal