ClawHub

Electric Guitar

Security checks across malware telemetry and agentic risk

Overview

This is a coherent electric guitar practice skill that may create local progress notes, but it does not show malicious or deceptive behavior.

Install this if you want a guitar practice assistant that can keep local practice records. Be aware it may create ~/electric-guitar/ and store songs, sessions, techniques, and goals there; ask the agent not to log progress or delete that folder if you do not want local history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill instructs the agent to create a workspace under `~/electric-guitar/` and later log progress there, but it does not clearly warn the user that local filesystem changes may occur or require explicit consent before writing. While the path and purpose are limited and consistent with the skill's functionality, silent file creation/modification is still a real safety issue because it can surprise users and normalize unauthorized persistence.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The logging triggers are broad enough to capture ordinary conversational mentions of practice, struggle, or learning, which can cause the agent to infer consent to create or update progress records when the user did not explicitly ask for tracking. In a skill that maintains persistent personal progress logs, this creates a real risk of unwanted data collection, incorrect records, and privacy-invasive behavior through over-eager logging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal