Security audit

3d Anime Poster Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward image-generation skill that sends the user’s prompt and token to the disclosed Neta/TalesOfAI API.

Install only if you are comfortable sending your prompt, optional reference image UUID, and Neta API token to the Neta/TalesOfAI service. Avoid confidential prompts, and avoid using command-line tokens on shared machines where process arguments may be visible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares only `tools: Bash` while its documented behavior requires contacting the external Neta API, which is a network capability. Undeclared network use reduces transparency and can bypass user or platform expectations about data egress, especially because prompts and tokens may be sent to a third-party service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends a user-supplied API token in the x-token header to a third-party endpoint and transmits the prompt/ref data over the network, but it does not provide any explicit user-facing disclosure beyond requiring the token argument. In an agent skill context, hidden credential transmission to an external service is a real security concern because users may not realize their token and content are being sent off-platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal