Back to skill

Security audit

Webchat Audio Notifications

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser audio-notification add-on with local settings storage and no evidence of hidden data theft, destructive behavior, or unauthorized control.

Install this only if you want browser sound notifications in a webchat. Keep the settings panel and scripts bundled and same-origin, review localStorage behavior for preferences/custom sounds, and prefer the browser login flow over command-line token examples if you publish or maintain the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose is narrowly framed as background-tab audio notifications, but the described implementation also includes persistent localStorage storage, custom audio upload handling, config loading via fetch, an on-page permission/enable overlay, and a test path that can play while the tab is visible. This mismatch weakens user trust and reviewer visibility, and some of the extra behaviors expand the attack surface beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The settings panel introduces arbitrary custom audio upload functionality even though the skill description presents only 5 fixed notification intensity levels. This expands the feature and trust boundary by accepting user-supplied files and delegating validation to window.notifier.uploadCustomSound(file), which can create unexpected storage, parsing, or media-handling risk if the backend/notifier implementation is weak.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The page fetches an external HTML fragment and then manually extracts and executes any embedded scripts by copying their text into newly created script elements. This creates a script-injection sink: if settings-panel.html is modified, replaced, or served unexpectedly, arbitrary JavaScript will run in the page origin and can access localStorage, page state, and notification settings. In the context of this skill, dynamic script execution is not necessary for testing audio notifications, so the behavior is less justified and more suspicious.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The publishing guide explicitly states that `clawdhub publish .` packages and uploads the directory, but it does not warn maintainers to review the directory contents for secrets, test artifacts, local configs, or other unintended files before upload. Because this is a distribution workflow document, omission of that warning can lead to accidental disclosure of sensitive files to a remote service and downstream users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual login example shows passing an API token directly on the command line without any warning about shell history, process-list exposure, or secure storage. This can cause token leakage to local logs, history files, screenshots, or other users on the system, enabling unauthorized access to the publisher account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.