ClawHub

Skywork Music Maker

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Mureka music-generation skill that uses the user’s API key to send prompts, lyrics, and requested audio uploads to Mureka and save generated outputs locally.

Install if you are comfortable with Mureka receiving your prompts, lyrics, and any reference or vocal audio you choose to upload. Use a dedicated API key, monitor billing, review translated prompts before generation, and only use voice samples or reference tracks you have permission to process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill requires access to an API key, writes generated outputs to disk, and sends prompts/audio to an external service, but it does not declare explicit permissions for those capabilities. That creates a transparency and consent problem: users and hosting platforms may not realize the skill can read sensitive environment data, write files, and transmit user content externally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes vocal cloning and audio uploads but provides no guidance on obtaining consent, respecting privacy, or ensuring rights to the source audio. In a skill intended for agent-driven workflows, this omission increases the risk of misuse for impersonation, unauthorized voice replication, or processing third-party audio without permission.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill mandates that all non-English user input be converted into English prompts before generation, without explicit user opt-in. This can cause unintended transformation of user content, reduce user control over what is sent externally, and potentially alter meaning for sensitive or nuanced creative inputs.

External Transmission

Medium
Category
Data Exfiltration
Content
- **API Key**: `MUREKA_API_KEY` environment variable (required)
- **Base URL**: https://api.mureka.ai
- **Dependencies**: Python 3, `requests` library
- **Billing**: Check balance with `curl -H "Authorization: Bearer $MUREKA_API_KEY" https://api.mureka.ai/v1/account/billing`
Confidence
91% confidence
Finding
https://api.mureka.ai/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal