ClawHub

Kpop Idol Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends a prompt to a disclosed third-party image-generation API and returns an image URL.

Install only if you trust the Neta/TalesOfAI service with your prompts, optional reference image UUIDs, and API token. Avoid using confidential prompts or sensitive image references, and prefer a limited-scope token because the current examples pass the token as a command-line argument.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises use of an external API token and invokes a Node script that necessarily performs network access, but the manifest does not declare corresponding permissions. Undeclared network capability reduces transparency and can bypass user expectations or platform policy checks, especially when a skill accepts secrets like API tokens and sends prompts to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to submit free-form prompts and optional reference image UUIDs to a third-party image-generation API, but it does not clearly disclose that this data leaves the local environment and is transmitted to an external service. This can lead users to unknowingly send sensitive personal data, proprietary descriptions, or identifying image references to a remote provider, creating privacy, confidentiality, and compliance risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is very broad: 'Use when someone asks to generate or create kpop idol style portrait images.' Without stronger scope constraints, an agent may invoke this skill too readily for loosely related image requests, causing unintended third-party API calls and unnecessary transmission of user prompts or tokens. In a networked skill, over-broad activation increases the chance of privacy and consent issues.

External Transmission

Medium
Category
Data Exfiltration
Content
body.inherit_params = { collection_uuid: ref, picture_uuid: ref };
  }

  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers: {
      "x-token": token,
Confidence
93% confidence
Finding
fetch("https://api.talesofai.com/v3/make_image", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
body.inherit_params = { collection_uuid: ref, picture_uuid: ref };
  }

  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers: {
      "x-token": token,
Confidence
93% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function pollTask({ token, taskUuid }) {
  const url = `https://api.talesofai.com/v1/artifact/task/${taskUuid}`;
  const headers = {
    "x-token": token,
    "x-platform": "nieta-app/web",
Confidence
91% confidence
Finding
https://api.talesofai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal