ClawHub

Mascot Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward mascot image generator that sends user-provided prompts and a token to the documented remote image API.

Install only if you are comfortable sending mascot prompts, optional reference UUIDs, and your Neta/TalesOfAI API token to the external image-generation service. Avoid putting secrets or highly confidential brand material in prompts, and avoid exposing the token in shared shell history, logs, or repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares only Bash but does not declare the network capability, even though its documented purpose is to send prompts and an API token to the external Neta image-generation service. This creates a transparency and permission-boundary problem: users and enforcement systems may not realize the skill performs outbound network requests involving sensitive inputs and credentials.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata says it uses the Neta AI API, but the implementation actually sends data and credentials to talesofai.com. This mismatch is security-relevant because users may consent to one service while their prompt, reference UUID, and token are transmitted to another, undermining transparency and informed trust.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is very broad ('Use when someone asks to generate or create brand mascot generator images'), which can cause the skill to trigger in more situations than necessary. Over-broad routing increases the chance that user prompts, attached context, or credentials are sent to an external service when a more local or privacy-preserving option might have sufficed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown explains token usage and shows commands, but does not clearly warn that prompts and token-authenticated requests are sent to a third-party image-generation API. This omission can mislead users into sharing proprietary brand ideas, internal descriptions, or credentials without understanding the external disclosure and retention risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The CLI transmits user-supplied prompts and optional reference identifiers to a third-party service without a clear privacy notice or explicit confirmation at send time. In this skill context, prompts may contain proprietary branding concepts or sensitive creative assets, so silent transmission increases the risk of unintentional disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal