ClawHub

asmr-music

Security checks across malware telemetry and agentic risk

Overview

This is a simple ASMR music recommendation skill with disclosed external playback links and an optional reminder feature.

Install only if you want ASMR or ambient-audio recommendations. Treat the sleep, anxiety, and heart-rate language as general wellness guidance rather than medical advice, review external playback links before opening them, and enable the nightly reminder only if you deliberately want a recurring 10 PM notification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger examples are broad, everyday phrases such as requests about sleep, relaxation, study, and anxiety, which creates ambiguous activation boundaries and increases the chance the skill is invoked when the user did not specifically intend to use it. In this skill’s context, that matters because it can steer sensitive wellness-related conversations toward a specific skill and its recommendation or reminder flows without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reminder feature describes recurring nightly notifications and even includes enable/run instructions, but it does not clearly require explicit informed opt-in, explain persistence, or confirm that notifications will continue daily until disabled. In a consumer wellness skill, silent or poorly disclosed recurring notifications can undermine user consent, create nuisance/spam behavior, and train the agent to take ongoing actions beyond a single request.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal