Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and SKILL.md consistently describe a Kling AI (快手可灵) text/image-to-video assistant with motion brush, lip-sync, and camera controls — those capabilities align with the provided instructions and example API calls.
Instruction Scope
The SKILL.md gives concrete guidance for calling a Kling-style API (OpenAI-compatible calls) and examples for uploading media and polling job status. It does not instruct arbitrary system access (no file-system scanning or unrelated credential harvesting). However, it does implicitly require sending user media (images, video, audio) to an external endpoint, which has privacy implications and should be explicit in metadata.
Install Mechanism
This is instruction-only (no install spec, no code files). That minimizes risk from arbitrary code installs — nothing is written to disk by the skill bundle itself.
Credentials
The SKILL.md example uses an API key (api_key="your_kling_api_key") and a base_url (https://api.klingai.com/v1), but the skill metadata declares no required environment variables or primary credential. This mismatch (documented need for a secret but no declared requirement) is a transparency/operational concern. Also, the skill's operation involves uploading user media to an external service — that requires trusting the remote service's data handling and retention policies.
Persistence & Privilege
The skill does not request persistent 'always' installation and does not declare any special system-wide modifications. Autonomous invocation is allowed by default but is not combined with other high privileges here.
What to consider before installing
This skill appears to be a documentation-only helper for a Kling AI video API and will send user media (images, audio, video) to an external endpoint. Before installing or using: 1) confirm the skill's provenance (who published it and whether there's an official homepage or privacy policy for https://api.klingai.com), 2) treat any API key as sensitive — the manifest should declare a required credential but does not, so ask the publisher how secrets are expected to be provided and stored, 3) consider privacy: uploaded media may be stored or used by the remote service, so avoid sending sensitive personal data unless you trust the provider and have reviewed data-retention/terms, and 4) if you need stronger assurance, request the publisher add explicit requires.env entries (e.g., KLING_API_KEY, KLING_BASE_URL) and a homepage or docs link so you can audit where your data will go.Like a lobster shell, security has layers — review code before you run it.
latestvk978gxv0kgvmd24kqc5s4gdhbh83d9sw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.