ClawHub

Bootleg Link Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a music downloader, but it also handles account logins, stores session cookies, uses anti-detection browser automation, and includes an undeclared local proxy component.

Install only if you intentionally want a broad music-downloader MCP server that can receive account passwords, automate browser logins, and store reusable session cookies on disk. Review the code and local config first, avoid using high-value Google accounts, consider isolating it in a separate user/container, and delete stored cookie files when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation declares no permissions while describing behavior that requires filesystem access, network access, environment/config handling, and likely shell/process execution through external tooling such as Python and yt-dlp. This mismatch weakens user consent and review because operators may approve the skill without understanding its actual capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a severe description-to-behavior mismatch: the skill presents itself as a simple YouTube-to-MP3 downloader, but static analysis indicates hidden high-risk functionality including automated credentialed logins, cookie export/management, third-party music service access, and a local proxy/tunneling component. Those undisclosed capabilities materially expand the attack surface and could enable credential theft, session hijacking, covert traffic interception, or abuse of paid accounts.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill description presents a YouTube audio downloader, but the code also implements Qobuz and Beatport login, search, and download features. This hidden capability expansion increases credential-harvesting and unauthorized-download risk because a user or host may grant trust based on incomplete metadata.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The exposed MCP tools materially exceed the stated purpose by offering non-YouTube music-service login and download operations. Undeclared capabilities are dangerous because clients, reviewers, and policy controls may not expect credential handling and content acquisition from additional providers.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code automates Google login with stealth techniques specifically intended to evade bot-detection signals such as webdriver checks and headless detection. That is highly suspicious for a downloader skill because it handles sensitive credentials and session cookies while intentionally bypassing platform protections.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
On startup, the server reads a PID file and attempts to terminate that process without verifying ownership or confirming it is actually the same application instance. If the PID file is stale or tampered with, this can kill an unrelated local process and cause denial of service.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module docstring claims limited SQLite tracking, but the implementation also persists Beatport cookies on disk and exports YouTube cookies. Misleading storage claims are security-relevant because they conceal credential persistence and can defeat informed consent and audit expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This file exposes a general-purpose local HTTP/CONNECT proxy that can forward arbitrary outbound traffic through a SOCKS5 upstream, far beyond the stated YouTube-to-MP3 functionality. Even though it binds to 127.0.0.1, any local process or code execution context using the skill could abuse it as a covert egress channel, enabling policy bypass, data exfiltration, or access to unintended network destinations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata describes a YouTube audio downloader, but the code also launches a standalone proxy server for arbitrary outbound network access. That hidden capability is security-relevant because reviewers and operators may grant the skill permissions under a narrower trust assumption, while the undeclared proxy can be used to evade monitoring or expand the skill's effective network reach.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented `clear_database` tool can erase all tasks and video records, yet the skill provides no warning, confirmation flow, or recovery guidance. In an agent-driven environment, destructive operations without friction increase the risk of accidental or induced data loss through misuse, prompt injection, or operator error.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Qobuz login flow accepts raw credentials and transmits them to a third-party client library without clear disclosure, consent, or storage/handling guarantees. In a skill context, this is dangerous because users may not realize they are handing account credentials to code that also performs unrelated download behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Beatport session cookies are written to disk in plaintext without user-facing disclosure or evident permission hardening. Persistent session material can be reused by other local processes or attackers with filesystem access to hijack the account session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code exports YouTube/Google cookies to a local Netscape-format cookie file for later reuse by yt-dlp, but does not clearly warn about persistent session storage. Those cookies may authenticate the user to Google services and could enable session hijacking if read by another process or user.

Missing User Warnings

High
Confidence
97% confidence
Finding
This flow solicits Google credentials, automates login, handles 2FA, and harvests resulting session cookies without strong safety or privacy disclosure. In the context of a downloader skill, collecting direct Google credentials is especially dangerous because compromise affects much more than YouTube.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The startup logic may terminate another process based solely on a PID file and does so automatically without confirmation. This creates a local denial-of-service primitive and is especially risky in shared environments or where the PID file directory can be manipulated.

Missing User Warnings

High
Confidence
93% confidence
Finding
The clear_database tool irreversibly deletes all tasks and video records immediately, with no confirmation token, dry run, or authorization guard. In an MCP environment, accidental or malicious invocation can destroy state and impair recovery or auditability.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Beatport login automation persists cookies after credentialed browser login but does not clearly disclose that local session artifacts are being stored. Persistent cookies can be replayed to access the user's account or purchases if the filesystem is compromised.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal