ClawHub

Ai Music Creator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to be a legitimate cloud video-generation integration, but its broad trigger wording and unnecessary local environment probing create review-worthy privacy and accidental-upload risk.

Review before installing. Use it only if you are comfortable with user media being sent to a cloud video service, and prefer explicit invocation or confirmation before uploads or remote rendering. The publisher should narrow trigger phrases and remove local install/config probing unless it is replaced with non-sensitive runtime metadata.

SkillSpector (3)

By NVIDIA

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to inspect local install paths and config locations to derive platform attribution, which exceeds what is necessary to generate music-backed videos. Accessing local environment details expands the skill's data-access scope and can expose host metadata that is unrelated to user intent, creating an unnecessary privacy and reconnaissance risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is broad enough that ordinary phrases like sharing clips or describing a desired result could activate the skill in contexts where the user did not explicitly intend to use this external cloud-connected tool. That increases the risk of accidental file upload, token-backed API usage, and unintended disclosure of user content to a third-party service.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example trigger phrase "generate my video clips" is too generic and overlaps with normal editing requests, making accidental activation likely. In this skill's context, accidental invocation is more dangerous because it can initiate remote session setup and media transfer to a cloud backend using available credentials.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal