ClawHub

Music Player for Windows

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: search, download, tag, and play music files, with some rough edges around dependency hygiene and default download paths.

Use this only for music you are authorized to download. Prefer commands where you provide the output path yourself, review hard-coded demo paths before running them, and consider pinning or minimizing dependencies before installing in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script downloads remote content and writes it directly to a hard-coded local path under a user profile without any confirmation, path validation, or safety prompt. In an agent/skill context, automatic file writes to a fixed location can overwrite existing user data, create persistence artifacts, or unexpectedly modify the host filesystem, especially if the script is executed unattended.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"metadata": "python embed_metadata.py"
  },
  "dependencies": {
    "requests": "*",
    "mutagen": "*",
    "python-pptx": "*"
  },
Confidence
98% confidence
Finding
"requests": "*"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "requests": "*",
    "mutagen": "*",
    "python-pptx": "*"
  },
  "python_version": ">=3.7",
Confidence
98% confidence
Finding
"mutagen": "*"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "requests": "*",
    "mutagen": "*",
    "python-pptx": "*"
  },
  "python_version": ">=3.7",
  "platform": [
Confidence
98% confidence
Finding
"python-pptx": "*"

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal