ClawHub
Back to skill

Security audit

Coloring Page Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward coloring-page generator that calls a third-party image API, with privacy and scoping caveats but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending your coloring-page prompt, optional reference image UUID, and Neta API token to the remote Neta/TalesOfAI service. Avoid sensitive or confidential prompts, and consider using shell practices that keep tokens out of command history where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to send free-form prompts and optional reference-image identifiers to a third-party image generation API, but it does not clearly disclose that this data leaves the local environment and is processed by an external service. This can lead users to submit sensitive personal, proprietary, or regulated content without informed consent, increasing privacy, compliance, and data-handling risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage guidance is overly broad: "Use when someone asks to generate or create coloring page generator images" provides little scoping and may cause an agent to invoke this skill whenever image generation is mentioned, even when a different tool would be more appropriate. In this case the skill calls an external API and may consume tokens or send user prompts off-platform, so unnecessary invocation increases privacy and cost risk, though the domain itself is low sensitivity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.