ClawHub

Audio Speaker Tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate audio toolkit, but it enables voice cloning and speaker verification without adequate consent, privacy, or misuse warnings.

Install only if you will process audio you are authorized to use and have consent from the speakers. Treat extracted speaker clips and comparison outputs as sensitive biometric data, avoid impersonation or surveillance use, be careful before uploading samples to ElevenLabs or any other third party, and delete temporary audio files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs users to run shell commands, use environment variables for secrets, and write output files, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can invoke local tooling, access sensitive environment data like HF_TOKEN, and write artifacts to disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill operationalizes speaker verification and voice cloning workflows on biometric voice data without any consent, privacy, identity-misuse, or lawful-use warnings. In context, this is more dangerous than generic audio processing because it explicitly supports cloning and verifying human voices, which can enable impersonation, unauthorized biometric processing, and mishandling of sensitive personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly promotes voice authentication and voice cloning quality assessment using biometric voice data, but it provides no warning about consent, privacy, impersonation, or abuse risks. In this skill context, that omission matters because the tool is specifically positioned for speaker verification and cloning workflows, which can enable unauthorized biometric matching or more convincing impersonation if used without safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal