Selfie Art Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent image-generation skill that sends prompts and a Neta token to the disclosed Neta/TalesOfAI API, with minor review notes about credential use, external processing, and limited provenance metadata.
This skill looks safe for its stated purpose if you are comfortable giving it a Neta API token and sending image prompts to api.talesofai.com. Use a dedicated token if possible, avoid sensitive prompt content, and note that the registry metadata does not provide a source repository or homepage.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can submit image-generation jobs using the user's Neta token.
The skill requires a provider API credential. This is purpose-aligned for image generation, but it means requests are made under the user's Neta account or quota.
"name": "NETA_TOKEN", "description": "Neta AI API token. Get it at https://www.neta.art/open/", "required": true
Use a dedicated or limited API token where possible, avoid exposing the token in shared logs or chats, and rotate it if it is accidentally disclosed.
Text prompts, which may describe people or personal preferences, leave the local environment and are processed by the provider.
The user's prompt is sent to an external image-generation API along with token-authenticated headers. This is disclosed and necessary for the skill's purpose, but it is still an external data flow.
rawPrompt: [{ type: 'freetext', value: prompt, weight: 1 }] ... fetch('https://api.talesofai.com/v3/make_image', { method: 'POST', headers: HEADERS, body: JSON.stringify(body) })Do not include sensitive personal details in prompts unless you are comfortable sharing them with the Neta/TalesOfAI service, and review the provider's privacy terms.
It may be harder to independently verify the maintainer, project history, or upstream source before installing.
The provided registry metadata does not identify a source repository or homepage. The included code is small and reviewable, so this is a provenance note rather than a concrete security concern.
Source: unknown Homepage: none
Install only from a trusted registry/source and review the included files if provenance matters for your use case.