ClawHub

Book Cover Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward book-cover image generator that sends user prompts and a Neta token to the disclosed external image API.

Install only if you trust Neta/TalesOfAI with your prompts and generated-image workflow. Use a dedicated low-privilege token where possible, prefer environment-variable expansion over typing raw tokens into commands, and avoid submitting confidential manuscript material, private data, or secrets in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata and description claim it uses the Neta AI API, but the implementation sends requests to talesofai.com instead. This mismatch is dangerous because users may provide prompts and API tokens under false assumptions about the receiving service, creating a supply-chain trust and data disclosure issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to send free-form prompts and an API token to a third-party image-generation service, but provides no warning about how submitted content, generated images, or tokens may be stored, logged, retained, or used by that external provider. This is risky because users may include unpublished manuscript details, sensitive creative material, or secrets in prompts without realizing they are leaving the local environment and being processed by an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to pass a Neta API token on the command line without any warning about credential sensitivity. Command-line secrets can be exposed through shell history, process listings, logs, screenshots, or shared transcripts, which increases the chance of token leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code transmits the user's prompt and token to an external service with no meaningful disclosure beyond requiring a command-line token. In this skill context, users are likely to trust the stated vendor and may not realize their content and credentials are being sent to a different third-party endpoint.

External Transmission

Medium
Category
Data Exfiltration
Content
}

  // Submit job
  const submitRes = await request("POST", "https://api.talesofai.com/v3/make_image", body);

  let taskUuid;
  if (typeof submitRes === "string") {
Confidence
88% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const pollRes = await request(
      "GET",
      `https://api.talesofai.com/v1/artifact/task/${taskUuid}`,
      null
    );
Confidence
85% confidence
Finding
https://api.talesofai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal