Security audit

Plush Toy Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed plush-toy image generator that sends user prompts and a Neta token to the named image API; the main cautions are privacy and command-line token handling.

Install only if you are comfortable sending prompts, optional reference image UUIDs, and your Neta API token to api.talesofai.com. Avoid sensitive personal or proprietary prompts, and use a limited token where possible; be especially careful running token-bearing commands on shared machines or in logged automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill invokes an external API and explicitly requires a Neta API token, which indicates network access despite no declared permissions. Undeclared network capability undermines transparency and consent, increasing the risk that users provide secrets or allow outbound communication without clear permission scoping.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to submit prompts, a token, and optionally a reference image UUID to a third-party API service, but it does not clearly disclose that user content and metadata are transmitted off-platform. This can mislead users about data handling and privacy, especially when prompts or reference images may contain personal, proprietary, or sensitive information.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation guidance is broad enough that the skill could be invoked for generic image-generation requests involving plush toys, even when the user did not specifically intend to use this external-tool workflow. Unintended invocation can cause unnecessary token prompts, external API use, or accidental data sharing with a third-party service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script requires the API token to be passed via a command-line flag, which can expose the credential through shell history, process listings, job logs, or orchestration metadata on multi-user systems. This is a real secret-handling weakness even though the token is then used for its intended purpose in an HTTPS request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.