ClawHub

Baroque Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small image-generation skill that does what it says: sends a prompt and user-provided token to the documented external image API and returns an image URL.

Install only if you are comfortable sending your prompt, selected size, optional reference image UUID, and Neta API token to api.talesofai.com. Use a revocable token, prefer an environment variable over typing the token directly into shell history, and avoid confidential, personal, or regulated content in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates use of a Neta API token and a Node script that calls an external service, but the manifest only declares `tools: Bash` and does not clearly declare network capability/permissions. This mismatch can cause users or host systems to underestimate what the skill can do, especially because it handles secrets and sends prompts to a third-party API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to send prompts, tokens, and optional reference-image identifiers to a third-party API but does not clearly warn that user-supplied content is transmitted off-platform. This can lead users to unknowingly submit sensitive or proprietary text prompts or image references to an external service, creating privacy, confidentiality, and compliance risks.

External Transmission

Medium
Category
Data Exfiltration
Content
console.error(`→ Submitting: "${PROMPT.slice(0, 80)}${PROMPT.length > 80 ? '…' : ''}"`);
  console.error(`  Size: ${size} (${dims.width}×${dims.height})`);

  const submitRes = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers,
    body: JSON.stringify(body),
Confidence
90% confidence
Finding
fetch('https://api.talesofai.com/v3/make_image', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
console.error(`→ Submitting: "${PROMPT.slice(0, 80)}${PROMPT.length > 80 ? '…' : ''}"`);
  console.error(`  Size: ${size} (${dims.width}×${dims.height})`);

  const submitRes = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers,
    body: JSON.stringify(body),
Confidence
90% confidence
Finding
https://api.talesofai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal