ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ambient Audio

v1.0.0

Play scientifically-proven ambient sounds for focus, relaxation, meditation, and sleep. Perfect for programmers, office workers, students, and anyone needing...

0· 41·0 current·0 all-time
by@leyao1017
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims pre-generated 10s audio files in samples/ and instant playback; the repository contains only SKILL.md and scripts/play.sh (no samples directory or audio files). That omission means the skill as provided cannot perform its stated purpose without the missing sample files.
!
Instruction Scope
SKILL.md instructs the agent to run scripts/play.sh and to use ffmpeg/ffplay. The script itself only spawns ffplay locally (no network activity or secret access), which is within scope. However the control logic is buggy: it computes LOOP_COUNT but never uses it, starts ffplay with -loop 0 (infinite loop), and the background shutdown uses pkill -f 'ffplay.*focus-audio' even though the ffplay process command line does not include 'focus-audio' — so the script may not stop playback as advertised. These are functional/incoherence issues in scope rather than data-exfiltration concerns.
Install Mechanism
No install specification — instruction-only plus a local bash script. No downloads or external installers. This is the lowest-risk install mechanism.
Credentials
The skill requests no environment variables, credentials, or config paths. It requires ffplay (part of ffmpeg) and an audio output device, which are proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify agent/system configs. It writes a PID file to /tmp/focus-audio.pid and uses process management, which is reasonable for a local player. No elevated persistence or cross-skill configuration is requested.
What to consider before installing
This skill appears to be an instruction-only ambient audio player but is packaged incompletely and has bugs. The samples/ audio files referenced in SKILL.md are not included, so it won't play until you add or generate the MP3s. The player starts ffplay with an infinite loop (-loop 0) and attempts to stop it using a pkill pattern that won't match the ffplay command line; as a result playback may not stop when the script reports it did. Before installing or running it: (1) inspect or add the samples/ files yourself (or generate them with the provided ffmpeg example), (2) review and fix the stop logic (use the saved PID to kill the ffplay process and/or include a unique marker in the ffplay invocation so pkill matches), and (3) test in an isolated environment (not a shared production server) so stray audio processes or aggressive kill -9 calls don't affect other services. There are no signs of network exfiltration or credential requests, but because the package is incomplete and buggy, treat it as untrusted code until you verify/fix it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756qdvrt67vqqdypg0nbp9jh84gbtf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments