ClawHub

Steampunk Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward steampunk image-generation skill that sends user prompts and a user-supplied Neta token to the documented Neta/TalesOfAI API.

Install only if you are comfortable sending image prompts, optional reference image UUIDs, and your Neta API token to the TalesOfAI/Neta service. Prefer short-lived or low-scope tokens where available, avoid sensitive prompts, and be aware that passing tokens on the command line can expose them to local process listings or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill invokes an external image-generation API and requires users to pass an API token, but it declares no corresponding network permission. This creates a transparency and policy-enforcement gap: users and platforms may not realize the skill sends prompts and credentials off-host, which can expose sensitive input or bypass expected permission review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to send free-form prompts and an optional reference image UUID to a third-party image generation service, but it does not clearly disclose that this data leaves the local environment and is transmitted to an external API. This can mislead users into submitting sensitive personal, proprietary, or regulated content under the assumption the skill is local-only, creating privacy, confidentiality, and compliance risks.

External Transmission

Medium
Category
Data Exfiltration
Content
};
  }

  const res = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers: HEADERS,
    body: JSON.stringify(body),
Confidence
90% confidence
Finding
fetch('https://api.talesofai.com/v3/make_image', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
};
  }

  const res = await fetch('https://api.talesofai.com/v3/make_image', {
    method: 'POST',
    headers: HEADERS,
    body: JSON.stringify(body),
Confidence
90% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
for (let attempt = 0; attempt < MAX_ATTEMPTS; attempt++) {
    await new Promise(r => setTimeout(r, POLL_INTERVAL_MS));

    const pollRes = await fetch(`https://api.talesofai.com/v1/artifact/task/${taskUuid}`, {
      headers: HEADERS,
    });
Confidence
89% confidence
Finding
https://api.talesofai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal