ClawHub

Simple stt(sound-to-text) locally

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal setup-oriented skill, with the main caution that installation downloads dependencies/models and writes local files.

Install only if you are comfortable with it downloading packages/models and creating local files. Prefer running it in a dedicated project or virtual environment, and review where it stores models and outputs before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation shows the skill creates a virtual environment, installs packages, downloads a model, and creates output directories, which are filesystem-modifying capabilities. If the skill declares no permissions while performing writes, users and policy enforcement may be misled about what the skill can change locally. In this context the behavior appears expected for an installer, but the missing declaration is still a real security and transparency issue.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The markdown advertises automatic dependency installation, model download, and environment creation, but does not clearly warn that running install will use the network and modify the local filesystem. That omission can lead users to trigger package downloads and persistent system changes without informed consent. The skill context makes these actions functionally relevant, but they should be prominently disclosed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal