ClawHub

Music Generator Free

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed cloud music/video generation workflow, but it automatically creates remote token/session state and routes broad prompts to a third-party backend with too little user control.

Install only if you are comfortable sending prompts and uploaded media to mega-api-prod.nemovideo.ai, letting it maintain short-lived token/session state, and using it for video timeline edits and MP4 exports as well as music generation. Avoid private media unless you trust that service, and remove the NEMO_TOKEN/config data when you no longer want the integration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a simple music-generation utility, but the documented behavior expands into a general video editing, upload, session-management, and cloud rendering workflow. This mismatch weakens informed consent and can cause the agent to perform broader networked actions and media processing than the user would reasonably expect from the manifest description.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Deriving `X-Skill-Platform` from the install path introduces unnecessary collection and transmission of local environment metadata unrelated to generating music. Even if only normalized to a small set of values, this behavior conditions the skill to inspect local installation context and send it to a third party, which is avoidable and privacy-impacting.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Routing essentially all unmatched prompts to the generation/SSE path is overly permissive and can cause unintended outbound requests and backend actions from ambiguous user input. In a skill that automatically connects to a remote service and maintains editing sessions, this broad trigger increases the chance of unauthorized or surprising processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic backend connection and anonymous token acquisition on first open with only minimal user-facing notice. This causes network/authentication activity and account-like state creation before meaningful consent, which is especially risky because it obtains credentials, creates sessions, and begins interacting with a third-party service automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal