ClawHub

Magazine Cover Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward magazine-cover image generator that sends the user’s prompt and Neta token to the documented Neta/TalesOfAI API.

Install only if you are comfortable sending your image prompts, optional reference image UUIDs, and Neta API token to Neta/TalesOfAI. Avoid sensitive or regulated content in prompts, and consider the command-line token exposure risk from shell history or process listings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only the Bash tool but instructs users to invoke a script that sends prompts and a token to the Neta API, which implies outbound network access without corresponding permission disclosure. This creates a transparency and trust problem: users and platforms may not realize the skill transmits prompts and credentials to an external service, increasing the risk of unintended data exfiltration or policy bypass.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to submit free-form prompts and optional reference-image UUIDs to a third-party image-generation API but does not clearly disclose that this data leaves the local environment. This can lead users to unknowingly send sensitive personal, proprietary, or regulated content to an external service, creating privacy, confidentiality, and compliance risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance, 'Use when someone asks to generate or create ai magazine cover generator images,' is broad enough to match generic image-generation requests rather than narrowly scoping to magazine-cover use cases. Over-broad triggering can cause the wrong skill to run, leading users to unintentionally send prompts or reference images to a third-party API when they expected a different local or safer image workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the user's prompt, optional reference UUID, and API token to a third-party API without any meaningful disclosure beyond a generic help string. In a CLI skill context, users may reasonably assume local processing, so silent transmission of potentially sensitive prompts and credentials creates a real privacy and trust risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal