ClawHub

Waifu Gen Skill

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised image-generation task, but users should know it sends prompts and an API token to a third-party service.

Install only if you are comfortable sending your image prompt, optional reference UUID, and Neta API token to the TalesOfAI/Neta service. Avoid sensitive prompts, and prefer adapting the script to read the token from an environment variable or secret store instead of placing it in shell history with --token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown explicitly tells users to supply a Neta API token via the `--token` flag and shows example commands containing the token. Command-line secrets can be exposed through shell history, process listings, or shared terminal logs, but the README provides no warning or safer handling guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code accepts a user-supplied token and sends it in the x-token header to an external service via fetch. While the script validates that a token is present, it does not clearly warn the user that their credential and prompt content will be transmitted off-host, and there is no inline comment or explicit disclosure near the network operation.

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function createImage() {
  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
70% confidence
Finding
fetch("https://api.talesofai.com/v3/make_image", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function createImage() {
  const res = await fetch("https://api.talesofai.com/v3/make_image", {
    method: "POST",
    headers,
    body: JSON.stringify(body),
Confidence
60% confidence
Finding
https://api.talesofai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function pollResult(taskUuid) {
  const pollUrl = `https://api.talesofai.com/v1/artifact/task/${taskUuid}`;
  const maxAttempts = 90;

  for (let i = 0; i < maxAttempts; i++) {
Confidence
60% confidence
Finding
https://api.talesofai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal