ClawHub

Perception Music

Security checks across malware telemetry and agentic risk

Overview

This skill is a local perception-to-music utility with disclosed file reads, local command execution, and audio output, with some hardening and clarity issues but no evidence of deception, exfiltration, or destructive behavior.

Install only if you are comfortable with the skill reading local perception data under ~/.qclaw, running local binaries such as fm_compose, sense_all, and ffmpeg, and writing audio files to ~/.qclaw/workspace/soundscape. Prefer a trusted absolute ffmpeg path and avoid enabling scheduled use unless you intentionally want recurring compositions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not os.path.exists(ffmpeg):
        ffmpeg = "ffmpeg"
    
    subprocess.run([ffmpeg, "-y", "-i", wav_path, "-codec:a", "libmp3lame", "-b:a", "128k", mp3_path],
                   capture_output=True, timeout=30)
    
    # Save to soundscape directory
Confidence
84% confidence
Finding
subprocess.run([ffmpeg, "-y", "-i", wav_path, "-codec:a", "libmp3lame", "-b:a", "128k", mp3_path], capture_output=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents shell execution and file output but does not declare corresponding permissions, creating a transparency and policy-enforcement gap. In agent frameworks, undeclared shell and file-write capabilities can bypass user expectations and weaken sandboxing or approval controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest describes a narrowly scoped, zero-dependency local music tool, but the documented behavior expands to invoking additional local binaries, optional ffmpeg, sensor commands, and only partially implementing the advertised data mappings. This mismatch is dangerous because reviewers or automated systems may approve the skill under false assumptions about its execution surface and data access.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Claiming 'No external calls' while relying on external local executables is misleading security-wise, even if those calls are not network requests. Users may interpret the claim as meaning no external program execution at all, when in reality the skill chains to binaries whose behavior and safety are outside the markdown's control.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
A skill framed as sonifying existing perception data also includes the ability to trigger fresh perception-gathering commands, which broadens its data-access scope beyond what a user may expect. While not inherently malicious, this increases privacy and execution surface because the skill can cause new local sensing activity rather than only processing existing files.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad trigger phrases such as 'compose from data' or 'sonify sensor data' can cause the skill to activate in contexts the user did not specifically intend, especially in systems using fuzzy matching. Unintended activation matters here because the skill can execute shell commands, read local perception data, and write output files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal