ClawHub
Back to skill

Security audit

Dark Fantasy Art Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward image-generation helper that sends the user's prompt and Neta token to the documented Neta/Tales of AI API.

Install only if you are comfortable sending prompts and your Neta API token to api.talesofai.com. Prefer using an environment variable such as --token "$NETA_TOKEN" instead of typing the raw token directly in commands, and review the provider's quota or billing terms before generating images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares only the Bash tool, but its documented usage invokes a Node script that calls an external image-generation API, which implies network access without an explicit permission declaration. This weakens the trust boundary for users and reviewers because the skill's effective capabilities are broader than its manifest suggests, making unexpected outbound requests and data exfiltration easier to hide.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation tells users to pass the API token directly on the command line, which can expose secrets through shell history, process listings, logging, terminal recordings, and CI output. Because this skill relies on a third-party network API, the token is a valuable credential and the surrounding context makes accidental leakage more consequential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.