ClawHub

Feishu BGM

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it generates instrumental BGM through MiniMax and sends the audio to the active Feishu group, with no hidden or destructive behavior found.

Install only if you are comfortable with MiniMax prompts leaving your environment, MiniMax quota being consumed, and generated audio being posted to the active Feishu group. In busy or sensitive groups, prefer explicit command-style use or confirmation before generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs use of environment-sourced credentials (`MINIMAX_API_KEY`) and outbound calls to MiniMax services, yet no permissions are declared. This creates a transparency and governance gap: operators may deploy a skill with external network and secret access without explicit review, increasing the chance of unintended data disclosure or policy bypass.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several trigger phrases are broad everyday expressions such as '放点音乐' and '背景音乐', which can match normal conversation and cause the skill to activate unexpectedly in a group chat. In this skill's context, accidental activation can send user-provided scene descriptions to an external music-generation service and post generated audio back into the current chat, causing privacy leakage, spam, and unnecessary API spend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly warn users that their prompts will be transmitted to MiniMax and that the resulting audio will be posted into the current Feishu group. Because user messages may contain business context, meeting topics, or other sensitive details, the lack of disclosure undermines informed consent and increases the risk of exposing internal information to third parties and unintended recipients.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal