ClawHub

Release

Security checks across malware telemetry and agentic risk

Overview

This music-generation skill appears purpose-aligned overall, but it handles login tokens and installation in ways users should review before trusting it.

Install only if you trust the Muse service and publisher. Prefer the reviewed package over the README's git-clone installer, do not paste a token into shared or logged chats, and remove ~/.muse/token when you stop using the skill or if the machine is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill executes networked scripts and relies on local file persistence for tokens/task state, yet declares no permissions. That creates a transparency and sandboxing problem: a host may expose file/network access to a skill whose manifest does not accurately communicate those capabilities. In this context, the hidden capabilities are especially relevant because the skill handles authentication state and remote account actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a music-generation assistant but also performs account registration, login/token handling, device-ID management, credit/member-status checks, and external site redirection. This mismatch reduces informed consent and increases phishing and privacy risk because users may disclose credentials/tokens to functionality that was not clearly declared as part of the skill's purpose. The context makes this more dangerous because the extra behavior is tied to authentication and persistent identifiers, not just harmless ancillary UX.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The README directly instructs an AI assistant to clone a remote repository into /tmp and execute install.sh. For a music-generation skill, asking the agent to fetch and run arbitrary code is an unnecessary privileged action that can lead to full local code execution if the repo or script is malicious or later compromised. The explicit 'AI 助手请注意' phrasing makes this especially risky because it targets autonomous agent behavior rather than a human's informed review.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The installation section includes commands that fetch remote code and execute shell or batch installers across multiple agent environments. This grants the skill a path to arbitrary code execution and persistence in agent skill directories, which is far beyond what is required to help compose music and expands the blast radius across different CLI ecosystems. Claims in the README such as 'zero external dependencies' do not mitigate the danger of executing installer scripts from a cloned repository.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documented workflow includes registration and authentication handling well beyond simple music creation. Expanding a content-creation skill into account-management increases the attack surface for credential theft, privacy issues, and confusion about what the agent is allowed to do. Because the workflow actively guides users through account recovery and registration, it materially changes the trust boundary of the skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to solicit and process pasted JWT/bearer tokens from the user. Accepting raw authentication tokens in chat is dangerous because tokens can be replayed, logged, leaked through transcripts, or mishandled by the agent/runtime, leading to account takeover. In a conversational environment, this is significantly riskier than redirecting users to a proper OAuth or in-app auth flow.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The document says only documented subcommands may be used, yet the workflow invokes an undocumented subcommand. This inconsistency undermines reviewability and can hide unvetted capabilities from users and auditors, especially when the command participates in registration/authentication flow. Undocumented command usage is risky because it bypasses the stated interface contract and may expose unexpected behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script allows a user-supplied --path to become SKILL_DIR, and in uninstall mode it executes rm -rf "$SKILL_DIR" with no restriction that the path must be an actual Muse installation directory. This creates arbitrary file deletion capability if the script is invoked with an unsafe path, which is broader than the expected scope of a music skill installer.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives a persistent device identifier from hostname, MAC address, and username, then stores it locally and sends it in API headers. Even though the value is hashed, it is still a stable fingerprint tied to sensitive host attributes and is not necessary for a music-generation skill’s core function, creating unnecessary privacy and tracking risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring explicitly claims that no privacy data is collected and that the ID cannot reveal device information, but the implementation uses hostname, MAC address, and username to create a stable identifier. This mismatch is dangerous because it misleads reviewers and users about the true privacy behavior, reducing informed consent and masking tracking functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script persists an auth token to local storage (~/.muse/token) after login or token verification. Storing bearer tokens on disk can expose accounts if file permissions are weak, the host is shared, or malware/local users can read the file; the risk is amplified because the token grants authenticated access without re-entering the SMS code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users to click a generated registration link and then paste back a token that begins with `eyJ`, which is likely a bearer credential, but it does not clearly warn that the token is sensitive and must not be shared outside the intended local verification flow. In an agent/chat context, instructing users to paste credentials into conversation creates a real risk of credential exposure via logs, transcript retention, model processing, or accidental disclosure to unintended parties.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide states that successful verification automatically saves the token to `~/.muse/token` but gives no user-facing notice about local credential storage, permissions, or how to revoke/delete it. Silent persistence of authentication material can expose the credential to other local users, backup systems, malware, or later unintended reuse if file permissions are weak or the device is shared.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In uninstall mode, the script recursively deletes the target directory immediately once it exists, without presenting the resolved path for confirmation. A mistaken target selection or bad custom path can therefore cause unintended data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
During upgrade, the installer silently removes the existing SKILL_DIR with rm -rf before copying files. If the resolved directory is wrong or has been repurposed, this can destroy unrelated user data without warning or backup.

Ssd 3

High
Confidence
98% confidence
Finding
This flow explicitly instructs the user to paste an authentication token into the chat for processing, which is a direct secret-handling anti-pattern. In the context of an AI skill, this is more dangerous because chats may be logged, inspected, replayed, or exposed through support tooling, making a bearer token compromise immediately usable for account access until expiration or revocation.

Session Persistence

Medium
Category
Rogue Agent
Content
制作音乐、原创歌曲、作曲、编曲、作词、填词、
 写歌词、生成歌词、BGM、纯音乐、背景音乐、配乐、
 把文字变成歌、变成音乐、做个曲子、
 song、music、compose、make a song、write a song、muse、/muse。
---

# Muse - AI 音乐创作助手
Confidence
77% confidence
Finding
write a song、muse、/muse。 --- # Muse - AI 音乐创作助手 帮助用户在聊天环境中通过简单对话生成原创歌曲。核心价值:**3 轮交互出一首歌**。 ## 环境配置 **工作目录**:执行任何 bash 命令前,必须先 `cd` 到本 SKILL.md 所在目录(即 skill 安装目录)。所有脚本路径(`scripts/`、`assets/`、`refer

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal