ClawHub

Music Discovery

Security checks across malware telemetry and agentic risk

Overview

This music discovery skill is locally scoped and purpose-aligned, with a privacy note because it saves command inputs in a local JSON history file.

Install this if you want music recommendation help, but avoid putting secrets or highly sensitive personal details in the command arguments because they may be saved locally in data/music_discovery_data.json. Only install the optional Python packages or use Spotify OAuth when you actually want API-backed recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
87% confidence
Finding
The recommend command persists raw user-provided arguments to a local JSON file without notice, which can expose sensitive preferences or accidentally supplied personal data to other local users, backups, or logs. In a skill context, silent retention of user inputs is risky because users may reasonably expect ephemeral processing rather than persistent storage.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The playlist command writes user input directly into persistent local storage without any visible consent or warning. Even if the data seems low sensitivity, playlist themes, names, or free-form prompts may contain personal information that should not be retained silently.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The mood command stores user-supplied text on disk without warning, and mood-related prompts can be especially privacy-sensitive because they may reveal emotional state, mental health context, or personal circumstances. Silent persistence increases the chance of unintended disclosure through local access, backups, or later data reuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal