ClawHub

Flowyaipc Herdsman Skill En

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its voice-cloning and file-writing workflows need user review before installation.

Install only if you trust the publisher and need Herdsman media integration. Treat voice cloning as sensitive: use only authorized reference audio, avoid impersonation, and restrict where scripts may read from or write to. Prefer local 127.0.0.1 endpoints, avoid untrusted base URLs, and check output paths before running conversion or save commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Stream URL: {full_url}")
            if args.download:
                import subprocess
                subprocess.run(["curl", "-o", auto_output_path(), full_url], check=False)
        else:
            print(json.dumps(result, indent=2, ensure_ascii=False))
        return
Confidence
91% confidence
Finding
subprocess.run(["curl", "-o", auto_output_path(), full_url], check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents and encourages use of powerful capabilities including shell execution, local file read/write, network access, and environment-dependent behavior, but it does not declare permissions or boundaries for those actions. In an agent ecosystem, this weakens reviewability and consent controls, making it easier for downstream platforms to invoke sensitive operations without clear authorization expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared description frames the package as a connection/integration layer, but the documented behavior extends into OCR, image generation/editing, transcription, TTS, voice cloning, local audio conversion, and file persistence. This mismatch can mislead reviewers and policy engines about the real operational scope, causing risky capabilities to be approved under a narrower-looking description.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill exposes voice cloning workflows using reference audio and text but provides no warning about consent, impersonation risk, or retention/handling of biometric voice data. That omission materially increases the chance of misuse for non-consensual impersonation, social engineering, fraud, or processing sensitive personal data without adequate safeguards.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The guidance to save generated images to disk promotes persistence of outputs without warning that those files may contain sensitive, personal, or policy-relevant content. In shared workspaces or long-lived agent environments, silent persistence can create unnecessary data exposure, accidental reuse, or retention beyond user expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script passes `-y` to ffmpeg, which forces overwrite of any existing output file without confirmation. If an attacker or confused user can influence `output_path`, this can destroy or replace files accessible to the running account, making the issue more concerning in agent/integration contexts where file paths may be supplied indirectly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal