ClawHub

Stained Glass Art Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed third-party image generator that sends prompts to Neta/TalesOfAI, with no evidence of hidden or unrelated behavior.

Install only if you trust Neta/TalesOfAI with your image prompts, optional reference image UUIDs, and API token. Avoid sensitive or regulated content in prompts, and prefer a limited or revocable token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only `tools: Bash` but its documented usage explicitly requires a Neta API token and invokes a remote image generation service, which implies network access. Undeclared network capability is a real security concern because it can mislead reviewers and users about what data may leave the environment, especially when prompts or tokens may be transmitted to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
console.error("");

async function createTask() {
  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
92% confidence
Finding
fetch("https://api.talesofai.com/v3/make_image", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
console.error("");

async function createTask() {
  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
92% confidence
Finding
https://api.talesofai.com/

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal