ClawHub

Soundside

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Soundside media integration, but it gives an agent paid remote generation, library delete/update ability, persistent hosted resources, and email sharing without clear approval or privacy guardrails.

Review before installing if you plan to use this with private, regulated, or business-sensitive content. Use a scoped API key if Soundside supports it, enable tool approvals or spending limits, and require explicit confirmation before paid generation, deleting or updating library items, or sharing any project by email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises network-backed media generation across Soundside and multiple third-party providers but does not warn users that their prompts, images, audio, video, and related content may be transmitted off-host to external services. This can cause unintended disclosure of sensitive data, especially because the skill encourages rich media workflows where users may submit proprietary or personal content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that `lib_share` can share projects by email but does not warn that this can disclose user content to external recipients. Without an explicit caution, users may not realize an agent can trigger outbound sharing of potentially sensitive project materials beyond the Soundside platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that `lib_share` can share projects by email but does not warn that this can disclose user content to external recipients. Without an explicit caution, users may not realize an agent can trigger outbound sharing of potentially sensitive project materials beyond the Soundside platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal