ClawHub

Isekai Character Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward API-backed anime character image generator, but users should treat prompts and the API token as shared with the external image service.

Install only if you are comfortable sending your prompt, optional reference image UUID, and Neta API token to api.talesofai.com. Prefer passing the token through a protected environment variable rather than typing it literally in commands, and avoid private or sensitive content in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only `tools: Bash` but its documented usage clearly sends prompts and tokens to an external Neta API, which implies network access that is not explicitly declared. This weakens permission transparency and can mislead users about data egress, especially because user prompts and API tokens may be transmitted to a third party.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill advertises Neta AI but sends requests to api.talesofai.com while using Neta/Nieta-branded headers, which is a strong service-identity mismatch. This can mislead users into disclosing prompts and API tokens to a different provider than expected, undermining informed consent and potentially exposing credentials to an unintended third party.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI explicitly tells users to obtain a token from Neta, but the code submits that token to TalesOfAI endpoints. That mismatch can cause users to hand a credential to a service they did not intend to authorize, which is especially risky if tokens are reusable or accepted across related systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to pass the API token on the command line via --token, which can expose the credential through shell history, process listings, audit logs, and CI job output. Because this skill is intended for routine local CLI use, users are likely to follow the documented pattern directly, increasing the chance of accidental token disclosure.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance says to use the skill when someone asks to generate or create isekai character art generator images, which is broad and repetitive enough to encourage over-triggering. Overly loose activation criteria can cause the skill to run in contexts where the user did not clearly intend external image generation, increasing the chance of unnecessary prompt transmission or token use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The request sends the user's prompt, optional reference identifiers, and x-token to an external API without any upfront disclosure in the skill's interface or runtime messaging. For a character-generation skill this may seem routine, but undisclosed external transmission of user content and credentials still creates privacy and trust risks.

External Transmission

Medium
Category
Data Exfiltration
Content
body.inherit_params = { collection_uuid: ref, picture_uuid: ref };
  }

  const res = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers: {
      'x-token': token,
Confidence
84% confidence
Finding
fetch('https://api.talesofai.com/v3/make_image', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
body.inherit_params = { collection_uuid: ref, picture_uuid: ref };
  }

  const res = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers: {
      'x-token': token,
Confidence
84% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
for (let i = 0; i < 90; i++) {
    await new Promise((r) => setTimeout(r, 2000));

    const res = await fetch(`https://api.talesofai.com/v1/artifact/task/${taskUuid}`, {
      headers: {
        'x-token': token,
        'x-platform': 'nieta-app/web',
Confidence
78% confidence
Finding
https://api.talesofai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal