ClawHub

LYGO RESONANCE | Image-to-Sound & Creative Profiles

Security checks across malware telemetry and agentic risk

Overview

This is a coherent creative image/video-to-audio skill that writes local output files and can optionally call a local LLM, with no evidence of hidden execution, exfiltration, destructive behavior, or credential use.

Install only if you are comfortable with a local creative tool that can generate WAV, MIDI, JSON, brief, and lyric files in the working directory. Use explicit input and output folders for batch runs, review disk usage, launch the Gradio UI only when wanted, and only point the LLM URL at a service you trust. Treat any memory, external posting, or ClawHub publishing instructions as separate high-impact actions that should require your direct approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The usage section encourages direct agent execution, chaining with other subsystems, batch processing, memory growth, GUI launch, and publishing flows in broad terms without tight preconditions or explicit consent requirements. In an agent context, this increases the chance of unintended activation that could trigger filesystem writes, network calls, or multi-step automation beyond what the user specifically requested.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Although the skill mentions outputs in several places, the description does not prominently warn that normal operation can create multiple files such as WAV stems, MIDI, JSON briefs, text lyrics, and batch outputs. This can surprise users and, in automated environments, cause unintended disk consumption or clutter, especially when batch mode and multiple modules are used together.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal