ClawHub

Gothic Portrait Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small image-generation skill that does what it advertises, but users should treat prompts, reference IDs, and the API token as data sent to an external service.

Install only if you are comfortable sending your prompt, any reference image UUID, and a Neta/TalesOfAI API token to api.talesofai.com. Avoid sensitive personal, proprietary, or regulated content, and prefer a limited-use token because the documented --token flag may appear in command history, process listings, or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only Bash tooling and does not disclose any network permission or external data transfer, yet its documented usage clearly depends on an external API token and remote image generation service. This creates a transparency and consent problem: users may invoke the skill without understanding that prompts, tokens, and possibly reference-image identifiers will be sent to a third party.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill description says it uses the Neta AI API for gothic portrait generation, but the analyzed behavior indicates it actually uses TalesOfAI endpoints, accepts arbitrary prompts, and supports reference-based editing beyond the declared scope. This mismatch is dangerous because it can mislead users about where their data goes and what the skill is capable of doing, undermining informed consent and enabling unexpected third-party exfiltration or broader content generation than advertised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to send free-form prompts and optional reference image identifiers to an external image-generation API, but it does not disclose that user content will leave the local environment or describe any privacy, retention, or third-party handling implications. This can lead users to submit sensitive personal, proprietary, or regulated content under the false assumption that processing is local or privacy-neutral.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger guidance says to use the skill whenever someone asks to generate gothic portrait generator images, which is overly broad and can cause the agent to invoke the skill in contexts that do not clearly require this specific external API call. Overbroad invocation increases the chance of unnecessary third-party data sharing and makes it easier for unrelated user requests to be routed into a networked generation workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires an API token via a command-line flag and then includes that token in outbound HTTP headers. Command-line arguments are commonly exposed through shell history, process listings, CI logs, and agent telemetry, so this creates an avoidable credential exposure risk even if the network transmission itself uses HTTPS.

External Transmission

Medium
Category
Data Exfiltration
Content
async function main() {
  // Submit the image generation task
  const createRes = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
86% confidence
Finding
fetch("https://api.talesofai.com/v3/make_image", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
async function main() {
  // Submit the image generation task
  const createRes = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
86% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
for (let attempt = 0; attempt < 90; attempt++) {
    await new Promise(resolve => setTimeout(resolve, 2000));

    const pollRes = await fetch(`https://api.talesofai.com/v1/artifact/task/${taskUuid}`, {
      headers,
    });
Confidence
81% confidence
Finding
https://api.talesofai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal