ClawHub

Chords Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it searches public chord sites for a song and returns cleaned chord text, without hidden persistence, credential use, or unrelated access.

Install only if you are comfortable with song and artist queries being sent to DuckDuckGo and public chord websites. Avoid putting private text into the song query, and use normal caution with Python package dependencies such as ddgs and beautifulsoup4.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to run a script that performs DuckDuckGo searches and fetches content from external chord sites, but the skill metadata does not declare any corresponding network permission or capability. This creates a transparency and policy-enforcement gap: users and any permission system cannot accurately assess that invoking the skill causes outbound network access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance says to use the skill whenever a user asks for chords to a song, without narrowing when external fetching is appropriate or requiring confirmation before web access. Overly broad triggers can cause the agent to initiate network activity in situations where the user expected a simple answer, local knowledge, or a clarification step instead.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage and feature descriptions emphasize clean chord retrieval but do not warn that requests will trigger external searching and fetching from third-party sites. This lack of disclosure can mislead users about data flow, cause unanticipated transmission of their query to search engines and websites, and bypass informed consent for network use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal