ClawHub

Thumbnail Gen Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube thumbnail generator that sends a user-provided prompt and token to a disclosed image API, with a credential-handling caution.

Use only a limited, revocable Neta token and avoid pasting it inline in shared terminals, logs, screenshots, or chat. Verify you are installing the intended Thumbnail Gen Skill package/listing, and expect your prompt and token to be sent to api.talesofai.com to generate the image.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares only the Bash tool while its documented usage invokes a script that sends requests to an external API using a user-supplied token, indicating undeclared network behavior. Hidden or undeclared network capability is dangerous because it reduces transparency for reviewers and users, and can expose prompts or API tokens to external services without clear permission declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description says it uses the Neta API, but the finding indicates the actual behavior targets a different provider, api.talesofai.com, while also exposing additional behavior not clearly disclosed. This mismatch is dangerous because users may provide credentials or sensitive prompts under false assumptions about the recipient service, creating a trust-boundary violation and increasing the risk of token misuse, data leakage, or deceptive exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to supply the API token on the command line, which can expose the secret through shell history, process listings, terminal logs, CI logs, and screenshots. Because this is a user-facing installation and usage guide, the unsafe pattern is likely to be copied directly, increasing the chance of credential leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal