Security audit

Disposable Camera Photo Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small image-generation skill that sends prompts and a user-provided API token to a disclosed external image service, with credential-handling cautions but no hidden persistence or destructive behavior.

Install only if you trust the Neta/TalesOfAI service with your prompts, optional reference image UUIDs, and API token. Avoid putting sensitive text in prompts, and prefer using this on a private machine because the documented --token flag can leave secrets in shell history or process listings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares only the Bash tool but does not declare permissions even though its documented behavior requires outbound network access to the Neta API. This creates a transparency and governance gap: users or platforms may approve or run the skill without understanding that it sends prompts and tokens to an external service.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to pass prompts, API tokens, and optional reference image identifiers to an external image generation service, but it does not clearly disclose that this data will be transmitted to a third party. This can lead users to unknowingly expose sensitive prompts, credentials, or image-linked identifiers to an external provider, creating privacy, confidentiality, and token-handling risks.

External Transmission

Medium

Category: Data Exfiltration
Content: console.error(`→ Submitting (${dims.width}×${dims.height})...`); const submitRes = await fetch('https://api.talesofai.com/v3/make_image', { method: 'POST', headers, body: JSON.stringify(body),
Confidence: 93% confidence
Finding: fetch('https://api.talesofai.com/v3/make_image', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: console.error(`→ Submitting (${dims.width}×${dims.height})...`); const submitRes = await fetch('https://api.talesofai.com/v3/make_image', { method: 'POST', headers, body: JSON.stringify(body),
Confidence: 93% confidence
Finding: https://api.talesofai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: for (let attempt = 0; attempt < 90; attempt++) { await sleep(2000); const pollRes = await fetch(`https://api.talesofai.com/v1/artifact/task/${task_uuid}`, { method: 'GET', headers, });
Confidence: 88% confidence
Finding: https://api.talesofai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal