Security audit

Generate artist-backed illustrations by Antekirt

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Antekirt image-generation skill, but users should protect the API key and avoid sensitive prompts because requests go to Antekirt and may spend credits.

Install only if you intend to use Antekirt. Keep ANTEKIRT_API_KEY secret, set ANTEKIRT_BASE_URL only to the official Antekirt API host, avoid putting private data in prompts, and explicitly approve image, SVG, or video generation because those operations can consume credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares required environment variables and explicitly documents outbound API calls, but there is no explicit permission declaration for sensitive capabilities like network access and reading API-key-bearing environment variables. This creates a transparency and governance gap: users or hosting systems may not realize the skill can transmit prompts and credentials to an external service.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger phrases include very generic terms such as "illustrate", "generate an image", "draw", and "create art", which can match many ordinary user requests. Overbroad activation increases the chance the skill is invoked unintentionally, causing unnecessary external data transmission, API usage, or charges.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The usage instructions direct the user to send prompts and an API key to a third-party service but do not provide an explicit privacy warning about external transmission and retention. Users may unknowingly submit sensitive prompts or use organizational credentials without understanding the exposure to a remote vendor.

Missing User Warnings

Medium

Confidence: 74% confidence
Finding: The guide instructs users to set an API key in an environment variable but does not warn that the key is sensitive or should never be pasted into Discord, screenshots, logs, or shared shell history. In a Discord/OpenClaw workflow, users may follow setup steps in collaborative or visible environments, increasing the chance of accidental credential disclosure and downstream unauthorized API usage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal