ClawHub

Kawaii Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward image-generation skill that sends user-provided prompts and a Neta API token to the disclosed Neta service.

Install only if you are comfortable sending your prompt, optional reference UUID, and Neta API token to api.talesofai.com. Avoid using sensitive or confidential prompts, and prefer passing the token through a shell variable or other controlled secret mechanism rather than typing the raw token directly into command history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that prompts and API tokens are sent to a third-party image generation service, but it does not clearly warn users about the privacy and data-sharing implications. Users may unknowingly submit sensitive prompts or mishandle tokens, leading to unintended disclosure of proprietary, personal, or confidential data to the external provider.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill says to use it when someone asks to "generate or create kawaii art generator images," which is a broad and somewhat tautological trigger that can cause over-invocation outside clearly scoped user intent. Overly broad invocation guidance can make an agent select this skill in ambiguous situations, increasing the chance of unnecessary external API use, token exposure in workflow context, or unintended image-generation actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script requires an API token via the command line and then places it into an HTTP header for outbound requests. Passing secrets on the CLI is risky because they can be exposed through shell history, process listings, job logs, and telemetry, which can lead to token theft and unauthorized use of the third-party image API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal