90s Anime Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward external image generator, with the main caution that it asks users to pass an API token on the command line.

Install only if you trust the Neta/TalesOfAI service with your prompts and API token. Avoid pasting real tokens into shared terminals, logs, screenshots, or CI output; prefer adapting the command to read the token from an environment variable or other protected secret source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares only the Bash tool and no explicit permissions, yet its documented behavior depends on calling the external Neta API over the network. That mismatch can bypass user or platform expectations about what the skill is allowed to do, especially because prompts and API tokens are sent to a third party.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly tells users to supply the API token via a command-line flag, which can expose credentials through shell history, process listings, terminal logging, CI logs, and screenshots. While this is documentation rather than executable code, it normalizes an insecure secret-handling pattern and increases the likelihood that users will leak valid API credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal