ClawHub

App Icon Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward app-icon generator that sends prompts to a disclosed third-party AI image service and shows no hidden persistence, destructive behavior, or unrelated access.

Install only if you are comfortable sending icon prompts, optional reference image UUIDs, and a Neta API token to the Neta/TalesOfAI service. Avoid including confidential product plans, private brand assets, regulated data, or other secrets in prompts unless that provider is approved for your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates use of an external API token and a Node script that will contact a third-party service, but the skill does not declare network capability/permission. This mismatch weakens user awareness and platform policy enforcement, making unintended outbound requests and data disclosure more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to send free-form prompts and optional reference image identifiers to a third-party image generation API, but it does not warn that user-supplied content and related metadata may leave the local environment. This can lead to inadvertent disclosure of sensitive project details, proprietary design concepts, or user-associated image references, especially if operators assume the skill is purely local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks users to pass an API token on the command line without warning that it is a sensitive secret. Command-line secrets can be exposed through shell history, process listings, logs, screenshots, or shared terminal transcripts, increasing the risk of credential theft and unauthorized API usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal