ClawHub

Gequhai Music

Security checks across malware telemetry and agentic risk

Overview

This music-download skill does what it advertises in part, but it embeds NAS credentials and exposes unauthenticated file-changing NAS workflows that users should review before installing.

Install only if you control the referenced Synology NAS and are comfortable rotating/removing the embedded credentials first. Treat the service as a network-exposed file-changing tool: add authentication, restrict it to an app-owned music folder, disable background rename/move automation unless explicitly wanted, and require confirmation before downloads or NAS file changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises network access, file read/write, and likely environment use through examples and described behavior, but it does not declare any permissions. This creates a transparency and consent gap: users or orchestrators may invoke a skill that can write files and make network requests without explicit permission scoping, increasing the risk of unintended downloads or access to local/NAS resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is music search/download, but the described implementation extends to NAS management operations, externally exposed FastAPI control surfaces, background tasks, and broader file handling. This mismatch is dangerous because it hides materially more powerful behavior than users would reasonably expect, enabling overbroad access to storage and networked services under the cover of a simpler music skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation publishes a hardcoded API/authentication header value, `X-Custom-Header: SecretKey`, which appears to function as an access secret. Exposing such a value in skill docs leaks credentials to any reader, encourages insecure secret handling, and can enable unauthorized use of the upstream service or rapid secret reuse if copied elsewhere.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill documentation reveals internal NAS connection details including a private host address and username. Even without a password, this unnecessarily exposes internal infrastructure metadata that can aid targeting, fingerprinting, or social engineering against the NAS environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hard-codes live Synology NAS credentials and then uses them to perform authenticated administrative actions. Anyone with access to the skill source can recover the credentials and gain remote access to the NAS, which is far more sensitive than the stated music-search purpose and can lead to full compromise of stored data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code can rename and move files on the NAS using caller-controlled paths and names, giving the skill broad file-management power beyond simply searching for or downloading music. In context, this expands the blast radius substantially: a compromised workflow or malformed inputs could alter or relocate arbitrary NAS content, not just downloaded songs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill can enumerate arbitrary NAS folder contents, which is unnecessary for basic music lookup and link retrieval. This exposes metadata about files and directories on the user's NAS and increases privacy and reconnaissance risk if the skill is misused or compromised.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The service automatically registers itself with a gateway on startup and advertises internal endpoints, creating an outbound trust relationship and exposing functionality beyond the core local music search/download purpose. Even if intended for discovery, this expands the attack surface and may leak service availability, network location, and control endpoints to another system without explicit operator approval.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The exposed /process-renames and /rename-queue endpoints provide operational control and visibility into file-processing workflows that are outside the stated user-facing skill scope of searching/downloading music. Without any authentication or authorization shown here, an external caller could inspect queued file metadata or trigger file-affecting processing actions remotely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill promotes one-click downloads to a Synology NAS but does not provide clear warnings or consent controls around remote downloads, storage writes, or use of a third-party source. In this context, the absence of risk disclosure is significant because the action has side effects on user infrastructure and could download unexpected or infringing content to persistent storage.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill silently logs into a NAS with embedded credentials and can trigger remote file operations without any setup-time warning or runtime confirmation. Because these actions affect a user's personal storage, the lack of disclosure and consent materially increases the chance of unauthorized or surprising remote changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Remote rename operations are performed automatically against NAS files without prior warning or confirmation. Even if intended to improve filenames, incorrect matches or maliciously influenced metadata could rename files unexpectedly and disrupt the user's media library.

Missing User Warnings

High
Confidence
94% confidence
Finding
The file move operation is destructive in effect because it removes the source after moving, yet it occurs without explicit user warning. In a NAS environment, unintended moves can break existing organization, indexing, or backups and may be difficult for nontechnical users to diagnose.

Missing User Warnings

High
Confidence
95% confidence
Finding
The automatic workflow chains rename and move operations on the NAS after download completion, creating a safety-critical unattended action pipeline. In this skill context, automation makes the issue more dangerous because a user asking to download music may not expect silent file-management actions on their NAS beyond the download itself.

Missing User Warnings

High
Confidence
96% confidence
Finding
A single download request can automatically enqueue a NAS download and then schedule rename/move actions without prior disclosure. This combines network retrieval with remote storage modification, significantly exceeding what many users would expect from a music search skill and increasing the chance of unauthorized changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes scraped search and download metadata to a fixed local path on disk without user confirmation, configurability, or safety checks. In an agent/skill context, silent persistence can leak user activity, overwrite existing files, or fail unpredictably on systems where that path maps to sensitive directories or synced storage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The download and rename-related flows perform file-affecting actions immediately based on API input, with no confirmation, approval boundary, or authentication visible in this file. In the context of a NAS-integrated skill, this is more dangerous because remote callers may cause persistent changes to storage contents, filenames, and queued processing state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal