klingai-async-workflows
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill incorporates user-provided text prompts directly into API requests to Kling AI without sanitization or the use of boundary markers (found in
SKILL.mdandreferences/workflow-implementation.md). This creates a surface for indirect prompt injection where untrusted input could attempt to manipulate model behavior.\n - Ingestion points: Prompt data enters through function arguments in
SKILL.mdand job objects inreferences/workflow-implementation.md.\n - Boundary markers: The skill does not use delimiters or instructions to isolate user prompts from the rest of the request structure.\n
- Capability inventory: The skill can perform network operations (via
requestsandaiohttp) and write to the local file system (seen inSKILL.md).\n - Sanitization: No evidence of input filtering or escaping was found in the provided scripts.\n- [EXTERNAL_DOWNLOADS]: The skill contains logic to download video files from URLs generated by the Kling AI API and save them to the local disk (found in
SKILL.md). This is a standard and expected operation for the skill's intended purpose.
Audit Metadata