ClawHub

NetEase Cloud Music Listening Profile

Security checks across malware telemetry and agentic risk

Overview

This skill transparently collects a user's own NetEase Cloud Music listening data into local files for optional AI analysis, with no artifact evidence of upload, credential theft, or hidden behavior.

Install only if you are comfortable creating local files that summarize your music habits and possibly reveal mood, routines, or personal traits. Keep the outputs private, review them before sharing with any AI service, and consider using a locked virtual environment if dependency reproducibility matters to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill collects highly sensitive behavioral data—playlist choices, recent listening history, all-time rankings, and derived aggregates that can reveal mood, habits, relationships, and identity signals—then persists them locally and prepares prompts for AI analysis, but it does not require an explicit privacy warning or informed consent flow. In this context, the absence of a clear sensitivity notice increases the risk of users disclosing intimate profile data without understanding retention, downstream sharing, or analysis implications.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code writes multiple files containing a user's listening-profile data and outputs their locations, but this file shows no user-facing consent, warning, or minimization around the collection/export step. Because the dataset includes personal behavioral information and is persisted locally in several formats, it creates privacy and secondary-disclosure risk if the machine, workspace, or output directory is shared or later exfiltrated.

Unpinned Dependencies

Low
Category
Supply Chain
Content
psutil>=5.9
requests>=2.31
websocket-client>=1.6
Confidence
95% confidence
Finding
psutil>=5.9

Unpinned Dependencies

Low
Category
Supply Chain
Content
psutil>=5.9
requests>=2.31
websocket-client>=1.6
Confidence
95% confidence
Finding
requests>=2.31

Unpinned Dependencies

Low
Category
Supply Chain
Content
psutil>=5.9
requests>=2.31
websocket-client>=1.6
Confidence
94% confidence
Finding
websocket-client>=1.6

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
74% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal