Back to skill

Security audit

Logo Design Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small logo-generation skill that openly uses an external Neta/TalesOfAI image API and does not show hidden local access, persistence, or destructive behavior.

Install only if you are comfortable sending logo prompts, reference image IDs, and a Neta API token to the Neta/TalesOfAI service. Avoid putting confidential business details or secrets in prompts, and treat the token as sensitive because the documented CLI flag may expose it in shell history or process listings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly relies on an external API token and shows command examples that invoke a script likely making outbound requests, yet the skill metadata declares only `tools: Bash` and no permissions or network disclosure. This creates a transparency and policy-enforcement gap: agents or users may run a networked skill without clear permission boundaries, which can expose prompts, tokens, or generated content to a third-party service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to send free-form prompts and a token to an external image-generation API but gives no warning about privacy, retention, or third-party handling of submitted data. This is risky because users may include sensitive business, branding, or proprietary information in prompts or reference inputs without understanding that the data leaves their environment and may be logged, retained, or processed by an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends both the user-supplied prompt and the authentication token to a third-party API service, but it provides no explicit notice, consent flow, or privacy warning to the user beyond requiring the token. In an agent/skill context, users may reasonably assume local processing, so silent transmission of potentially sensitive branding ideas, proprietary prompts, or credentials is a meaningful privacy and trust risk.

External Transmission

Medium
Category
Data Exfiltration
Content
async function main() {
  console.error(`\n● Generating logo (${size} ${dimensions.width}×${dimensions.height})…`);

  const createRes = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
89% confidence
Finding
fetch("https://api.talesofai.com/v3/make_image", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
async function main() {
  console.error(`\n● Generating logo (${size} ${dimensions.width}×${dimensions.height})…`);

  const createRes = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
89% confidence
Finding
https://api.talesofai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.