ClawHub

Dnd Character Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it sends D&D character prompts to a disclosed external image-generation service and returns an image URL.

Install only if you trust Neta/TalesOfAI with your prompts, optional reference IDs, and API token. Avoid submitting confidential campaign material or personal data, and prefer a limited token because passing it with --token may leave local command-line traces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to provide an API token and send prompts and optional reference-image identifiers to a third-party image generation service, but it does not clearly disclose that user-supplied content may be transmitted off-system. This creates a privacy and data-handling risk because users may unknowingly submit sensitive character concepts, campaign material, or reference assets to an external provider.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger guidance is overly broad: 'Use when someone asks to generate or create dnd character art generator images' can cause the skill to activate on loosely related image-generation requests without clearly scoping that prompts will be sent to a third-party API. Overbroad invocation increases the chance of unintended external data disclosure or accidental token-authenticated requests when a user did not explicitly intend to use this provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not warn users that their prompts and token-authenticated requests are transmitted to an external image generation service. This omission can mislead users into sharing sensitive or proprietary text, and it reduces informed consent around third-party processing and credential use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends both the user-supplied prompt and the API token to a third-party service, but it does not clearly disclose that user content will leave the local environment or identify the external provider in a user-facing warning. In a skill context, users may assume a local-only image generation helper, so silent external transmission of prompts and credentials creates a privacy and trust risk even though HTTPS is used.

External Transmission

Medium
Category
Data Exfiltration
Content
}

  let taskUuid;
  const makeRes = await request('POST', 'https://api.talesofai.com/v3/make_image', body);

  if (typeof makeRes === 'string') {
    taskUuid = makeRes.trim();
Confidence
94% confidence
Finding
https://api.talesofai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal