ClawHub
Back to skill

Security audit

Release

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Muse music-generation skill, but it handles sign-in by asking users to paste a reusable token into chat and then saves it locally, so it needs review before installation.

Install only if you trust Muse and are comfortable with prompts, lyrics, account status, a persistent device ID, and generation requests going to Muse’s API. Do not paste a token unless you intend to sign in through this skill, and delete ~/.muse/token if you no longer want local access retained. Avoid using install.sh with an arbitrary --path unless you have verified the path, because uninstall or upgrade can recursively delete that directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes scripts that perform network access and write persistent state such as tokens and task context, yet no permissions are declared. This weakens platform trust boundaries because the runtime capabilities exceed what a reviewer or user would expect from the manifest, making silent credential storage and outbound requests possible.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is music creation, but the skill also handles registration/login flows, device identifier generation, token persistence, account status queries, and promotional deep links. That mismatch is dangerous because users may consent to a creative tool without realizing it is also collecting and persisting authentication material and device-linked metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly asks users to paste JWT-like tokens into chat and then verifies and stores them. Collecting bearer tokens through conversational messages is highly sensitive because chat logs, agent memory, transcripts, or downstream tooling may expose reusable credentials, enabling account takeover or unauthorized API use.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Persisting credentials in ~/.muse/token creates long-lived local secrets outside the chat platform's managed secret store. If the host is multi-user, compromised, backed up insecurely, or inspected by other tools, the token can be stolen and reused to access the user's account and credits.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer allows a user-supplied --path to become SKILL_DIR and then, in uninstall mode, recursively deletes that directory with rm -rf. Because there is no validation that the path is actually a Muse skill install location, a mistaken or manipulated invocation can delete arbitrary user files or directories unrelated to the skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Recursive deletion of the install directory is a destructive capability and is broader than the skill's music-generation purpose. In this script it is expected installer behavior, but it is still dangerous because deletion occurs automatically once SKILL_DIR is resolved, and mistakes in path selection would cause data loss.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file includes phone-based authentication and membership lookup flows that go beyond a narrowly scoped local music-creation helper and introduce collection/handling of account-linked identifiers and subscription data. Even if these are needed by the upstream service, embedding them in the skill expands the trust boundary and privacy exposure without clear minimization or user-consent controls in this file.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives a persistent device identifier from hostname, MAC address, and username, then stores and transmits it as an application-specific fingerprint. Although hashed, this is still a stable cross-session identifier derived from sensitive host attributes, enabling tracking/correlation beyond what is necessary for a music-generation skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements phone-based registration, login, and token acquisition logic inside a skill whose declared purpose is music creation. That mismatch expands the trust boundary and introduces credential-handling behavior users would not reasonably expect from a content-generation skill, increasing phishing, abuse, and account-compromise risk if the skill or upstream service is misused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code handles SMS verification, login, token verification, and token persistence, all of which are sensitive account-management operations unrelated to the advertised music-generation function. In this context, collecting phone numbers and obtaining auth tokens is more dangerous because users may provide credentials under the assumption they are only interacting with a creative assistant.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation criteria are broad enough to capture generic music-related requests, increasing the chance the skill runs when the user did not intend to start an authenticated third-party workflow. In this skill, accidental triggering is more dangerous because invocation can lead to credential collection, network calls, and persistent state changes.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list contains very common phrases such as 'music', 'song', and '/muse', which are likely to collide with ordinary conversation. Because the skill can move users into auth and token-handling flows, overly permissive invocation materially raises the risk of unintended execution and data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly instructs that a pasted authentication token will be automatically saved to `~/.muse/token`, but it does not require informed user consent, describe file permissions, or explain the security implications of local credential persistence. Persisting bearer-style tokens to disk increases the risk of credential theft from local compromise, shared accounts, backups, logs, or overly permissive file access, especially because the token remains valid for 180 days.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The uninstall path performs rm -rf on the resolved directory without an explicit warning or confirmation, including when a custom path was supplied. This increases the likelihood of accidental destructive actions and makes social engineering or operator error more harmful.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
During upgrade, the script silently removes the existing installation directory before copying new files. If SKILL_DIR is misresolved or custom-set incorrectly, this can wipe unrelated content with no recovery path or prominent warning.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
On successful login, the auth token is automatically written to ~/.muse/token without explicit warning or opt-in before the side effect occurs. Persisting bearer tokens silently can expose accounts to local compromise, accidental reuse by other tools, or leakage from shared environments, especially because the token appears sufficient for authenticated API access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The verify command has a non-obvious side effect: it saves any supplied token to disk after validation. A user may invoke verification expecting a read-only check, but instead the token is persisted locally, which can create unintended credential storage and broaden exposure on compromised or multi-user systems.

Session Persistence

Medium
Category
Rogue Agent
Content
制作音乐、原创歌曲、作曲、编曲、作词、填词、
 写歌词、生成歌词、BGM、纯音乐、背景音乐、配乐、
 把文字变成歌、变成音乐、做个曲子、
 song、music、compose、make a song、write a song、muse、/muse。
---

# Muse - AI 音乐创作助手
Confidence
78% confidence
Finding
write a song、muse、/muse。 --- # Muse - AI 音乐创作助手 帮助用户在聊天环境中通过简单对话生成原创歌曲。核心价值:**3 轮交互出一首歌**。 ## 环境配置 **工作目录**:执行任何 bash 命令前,必须先 `cd` 到本 SKILL.md 所在目录(即 skill 安装目录)。所有脚本路径(`scripts/`、`assets/`、`refer

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal