Security audit

Fantasy Map Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to generate fantasy map images as described, using a disclosed external image API, but users should handle the API token and prompts carefully.

Install only if you are comfortable sending map prompts and a Neta API token to api.talesofai.com. Treat the token like a password, prefer passing it from an environment variable rather than typing a raw token into shared commands, and avoid including private, regulated, or proprietary content in prompts unless you trust that provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill description claims it uses the Neta AI API, but the code actually sends the user's prompt and token to api.talesofai.com. This is a deceptive service mismatch that can mislead users about where their data and credentials are going, undermining informed consent and potentially exposing secrets to an unexpected third party.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly instructs users to provide a prompt and API token to a third-party image generation service, but it does not clearly disclose that user-supplied content will be transmitted off-system to an external provider. This can mislead users into sending sensitive worldbuilding notes, proprietary game assets, or personal data without informed consent, and it also normalizes passing secrets via CLI arguments, which may be exposed through shell history or process listings.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The invocation guidance is overly broad: 'Use when someone asks to generate or create fantasy map generator images' does not meaningfully constrain when the skill should activate. Broad triggers can cause the agent to invoke this skill in loosely related image-generation contexts, increasing the chance of unnecessary external API calls, unintended data sharing to a third-party service, or use of the wrong tool for the task.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The documentation instructs users to pass an API token via a command-line flag but provides no warning about credential exposure. Tokens passed on the command line may be visible in shell history, process listings, logs, or screenshots, which can lead to accidental credential leakage and unauthorized use of the Neta API account.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code collects a user-supplied token and prompt, then transmits them in request headers and request bodies to an external API without meaningful runtime disclosure or confirmation. In this skill context, prompts may contain proprietary worldbuilding content and the token is a sensitive credential, so silent exfiltration to a remote service creates privacy and account-risk concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal