Security audit

Dark Academia Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed image-generation skill with a credential-handling caution but no evidence of hidden, destructive, or unrelated behavior.

Before installing, decide whether you trust the Neta/TalesOfAI service with your prompts and API token. Avoid pasting real tokens into shared terminals, CI jobs, recordings, screenshots, or logs; use a safer secret source if you adapt the script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README repeatedly instructs users to pass the API token via a command-line flag, which can expose credentials through shell history, process listings, logging systems, and screenshots of terminal sessions. Although this is documentation rather than executable code, it promotes an unsafe secret-handling practice that can lead to account compromise if the token is captured.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation guidance says to use the skill whenever someone asks to generate or create dark academia art images, which is a broad trigger with little qualification. Overly broad activation can cause the agent to invoke this skill in situations where image generation is only tangentially related, increasing unintended tool use and accidental disclosure of user prompts or API-backed actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.