Chibi Gen Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward image-generation skill, with normal but sensitive use of a Neta/TalesofAI API token and external image service.
Before installing, make sure you trust the Neta/TalesofAI service and the package source, use a limited API token where possible, and avoid sending sensitive information in image prompts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires providing a Neta API token, which may authorize image generation and consume quota on that account.
The skill explicitly requires a provider API credential. This is expected for the stated image-generation service, but it gives the skill authority to use the user's Neta account or quota.
Requires a Neta API token. Free trial available at <https://www.neta.art/open/>.
Use a dedicated or low-privilege token if available, avoid sharing it in logs or chat, and revoke it if you stop using the skill.
Prompts or reference image IDs you provide may be processed by the external Neta/TalesofAI service.
The user's prompt is sent to an external image-generation provider. This is disclosed and purpose-aligned, but prompts and reference IDs should be treated as data shared with that service.
rawPrompt: [{ type: "freetext", value: prompt, weight: 1 }], ... fetch("https://api.talesofai.com/v3/make_image",Do not include private, confidential, or sensitive personal information in prompts unless you are comfortable sharing it with the provider.
It may be harder to independently confirm the maintainer, upstream source, or support page before installation.
The registry metadata does not provide strong provenance or a homepage for independent verification. The included code is simple and purpose-aligned, so this is a supply-chain transparency note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Install only from the trusted ClawHub listing or a verified repository, and review updates before providing an API token.