ClawHub

acestep

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ACE-Step music tool, but it needs review because its documentation and defaults create avoidable privacy and shell-use risks.

Install only if you are comfortable verifying the configured api_url before use and sending prompts or lyrics to that endpoint. Do not send private or proprietary lyrics unless the configured service is trusted, avoid printing the API key, and treat jq installation as a manual setup step requiring explicit user approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares allowed tools including Bash and gives extensive shell-based operational steps, but there is no explicit permissions model or user-consent boundary for commands that can change local state. In practice, this lets a music-generation skill perform configuration changes, health checks, and file writes through shell execution, increasing the risk of unintended system modification beyond the user’s likely expectation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose focuses on music generation, but the documented behavior also includes local configuration management, API-key handling, dependency installation behavior, network diagnostics, model enumeration, and writing outputs to disk. This mismatch matters because users may invoke the skill for creative tasks without realizing it can alter configuration or interact with the host environment in broader ways.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text is broad enough to match many ordinary conversations about music, songs, remixing, or production, which can cause the skill to activate when the user did not clearly intend tool use. Because the skill can run shell commands and modify local config, over-broad invocation raises the chance of unnecessary or surprising side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that the script may automatically install jq if missing, but it does not clearly require prior user consent before modifying the system. Silent or implicit package installation is dangerous because it expands a content-generation skill into a system-changing installer, which can violate least surprise and introduce supply-chain or privilege risks.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
If jq is not installed, the script will attempt to install it automatically. If automatic installation fails:
- **Windows**: `choco install jq` or download from https://jqlang.github.io/jq/download/
- **macOS**: `brew install jq`
- **Linux**: `sudo apt-get install jq` (Debian/Ubuntu) or `sudo dnf install jq` (Fedora)

### Before First Use
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
If jq is not installed, the script will attempt to install it automatically. If automatic installation fails:
- **Windows**: `choco install jq` or download from https://jqlang.github.io/jq/download/
- **macOS**: `brew install jq`
- **Linux**: `sudo apt-get install jq` (Debian/Ubuntu) or `sudo dnf install jq` (Fedora)

### Before First Use
Confidence
91% confidence
Finding
sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal