ClawHub

Comic Panel Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward comic image generator that sends prompts to the disclosed Neta/TalesOfAI API and does not show hidden, persistent, or destructive behavior.

Install only if you are comfortable sending your image prompts, optional reference image UUIDs, and Neta token to the Neta/TalesOfAI service. Do not include secrets, private business data, or sensitive personal information in prompts, and rotate the token if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation guidance is overly broad and vague, which can cause the skill to trigger in contexts where a user did not clearly intend to call an external image-generation service. In this skill, that matters because prompts may be sent to a third-party API, increasing the chance of accidental data disclosure or unintended external actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation does not warn users that their text prompts and any reference image UUIDs may be transmitted to the external Neta API. This creates a real privacy and consent risk because users may provide sensitive prompts or identifiers without understanding that the data leaves the local environment and is processed by a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends both the user prompt and the authentication token to a third-party service, but it does not clearly disclose that data will leave the local environment or identify the actual external endpoint in user-facing behavior. This is dangerous because prompts may contain sensitive content and the token grants access to an external account/API, creating privacy and credential-exposure risk if users assume the tool is local or first-party.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal