ClawHub

Anime Character Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward anime image generator that uses an external API; the token and prompt handling are expected for that purpose, but users should know they are sharing data with the provider.

Install only if you trust this publisher and are comfortable sending your prompt, optional reference UUID, and Neta API token to api.talesofai.com. Prefer a dedicated or revocable token, avoid sensitive prompts or proprietary reference identifiers, and use an environment variable or other secret-safe workflow rather than typing long-lived tokens directly into shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to supply an API token and send prompts and optional reference-image UUIDs to a third-party image-generation service, but it does not clearly disclose that this data leaves the local environment and is processed externally. This can lead users to unknowingly transmit sensitive prompts, account-linked identifiers, or proprietary creative material to an external provider, creating privacy, compliance, and data-handling risks.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger guidance says to use the skill when someone asks to generate or create anime character generator images, which is broad and ambiguous rather than tightly scoped to this specific capability. Overly broad invocation criteria can cause the agent to invoke the skill unnecessarily, leading to unintended external API calls, prompt/data disclosure to a third party, or user surprise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends a user-supplied API token in the x-token header to a third-party service, but it provides no explicit warning that the credential will be transmitted off-host. In a skill/agent context, users may assume local processing, so silent credential transmission can lead to unintended secret disclosure to an external provider.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal