Ghibli Style Skill
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it claims: it runs a small image-generation script that sends a prompt and user-provided Neta token to the advertised Neta/TalesOfAI API.
Before installing, confirm you trust the package source and understand that your prompt and Neta API token will be sent to api.talesofai.com to generate the image. Do not include sensitive information in prompts unless you are comfortable sending it to that service.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the Neta account/token you provide to submit image-generation jobs.
The script sends the user-provided Neta API token in the request headers to the image-generation API. This is expected for the stated integration, but it is still credential use.
"x-token": token
Use a dedicated Neta token if possible, avoid sharing tokens in chat unnecessarily, and revoke the token if you no longer use the skill.
Users have less independent information for confirming who maintains the skill or whether the install target is the intended one.
The registry metadata does not identify a source repository or homepage, while the skill provides install commands. The included code is small and coherent, but provenance is less clear.
Source: unknown; Homepage: none
Install from a trusted registry/source and verify the package name and publisher before use.