Back to skill

Security audit

Webtoon Character Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward webtoon image-generation wrapper, with some credential-handling and privacy caveats users should understand.

Install only if you are comfortable sending your image prompts, optional reference UUIDs, and Neta API token to api.talesofai.com. Avoid putting private, confidential, or regulated information in prompts, and prefer using an environment variable expansion for the token rather than typing the raw token directly into a command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README explicitly instructs users to supply the API token via a command-line flag, which can expose the secret through shell history, process listings, logging, CI output, or screenshots. Because this is a developer-facing usage pattern for a real external API credential, the risk is practical and the documentation normalizes an unsafe secret-handling practice.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger guidance, 'Use when someone asks to generate or create webtoon character generator images,' is overly broad and lacks boundaries on what kinds of image-generation requests should invoke the skill. In an agent setting, vague invocation criteria can cause the skill to activate unexpectedly, leading users' prompts and tokens to be sent to an external service without clear user intent or informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description and usage instructions do not clearly disclose that user prompts and the API token are transmitted to an external third-party image generation service. This creates a privacy and credential-handling risk because users may provide sensitive prompts or secrets without understanding they will leave the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a user-supplied token in the x-token header and transmits the prompt to a third-party API, but it provides no clear user-facing disclosure that both credentials and prompt content are being sent off-device. This is dangerous because users may unknowingly expose sensitive API tokens or confidential prompt content to an external service, especially in agent or automation contexts where prompts may contain private data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.