ClawHub

Food Photography Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward food-image generator that sends user prompts and a token to a disclosed external image API, with no evidence of hidden persistence or unrelated data access.

Install only if you are comfortable sending food-image prompts, optional reference image UUIDs, and your Neta API token to the Neta/TalesOfAI service. Avoid including secrets, private customer data, unpublished campaign details, or other sensitive material in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares only the Bash tool but documents use of an external Neta API token and a Node script that necessarily performs outbound network access. This creates a transparency and least-privilege problem: users and hosting systems are not clearly informed that the skill can send prompts and possibly sensitive input to a third-party service.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill metadata claims it uses the Neta AI API, but the implementation actually sends prompts and the provided API token to talesofai.com. This is a security-relevant trust boundary violation because users may disclose sensitive prompts or credentials under false assumptions about the receiving service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README tells users to provide free-form prompts and optional reference-image UUIDs to the tool, but it does not clearly warn that this data is transmitted to a third-party external API. This creates a privacy and data-handling risk because users may unknowingly submit sensitive business information, proprietary creative concepts, or identifying reference data to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
console.error(`→ Submitting prompt (${dims.width}×${dims.height})...`);

  const submitRes = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers,
    body: JSON.stringify(body),
Confidence
94% confidence
Finding
fetch('https://api.talesofai.com/v3/make_image', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
console.error(`→ Submitting prompt (${dims.width}×${dims.height})...`);

  const submitRes = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers,
    body: JSON.stringify(body),
Confidence
94% confidence
Finding
https://api.talesofai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal