ClawHub

Manga Panel Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small manga image-generation skill that sends user-provided prompts and a Neta token to the disclosed Neta/TalesOfAI API, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install only if you are comfortable sending your prompts, optional reference image UUIDs, and Neta API token to Neta/TalesOfAI. Prefer using a shell variable for the token instead of typing the raw token directly into commands, and avoid sensitive prompt content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly tells users to supply the API token via a command-line flag, which can expose the credential through shell history, process listings, CI logs, and terminal recordings. Because this is a public installation guide for a skill likely to be used by non-experts, the documentation materially increases the chance of accidental secret disclosure.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger guidance, 'Use when someone asks to generate or create manga panel generator images,' is broad enough to cause the skill to activate for many ordinary image-generation requests without ensuring the user intended this specific external provider. That can lead to unnecessary prompt/token transmission to a third-party API and accidental tool invocation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks users to provide a Neta API token and prompt but does not warn that these inputs are transmitted to an external service. Without this disclosure, users may unknowingly share sensitive prompts, account credentials, or image references with a third party, creating privacy and security risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal