ClawHub

audiopod

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SkillBoss audio-processing helper that sends user-selected audio or text to a remote API, with no evidence of hidden execution or unrelated data access.

Install only if you intend to use SkillBoss as a third-party processor. Use a dedicated API key, do not hardcode or log it, and submit only audio, voice samples, lyrics, prompts, URLs, and transcripts that you are comfortable sending to SkillBoss under its terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and description scope this skill to audio processing, but the documented Chain Mode adds generic chat summarization and translation. That scope expansion can bypass user and platform expectations about what the skill is allowed to do, enabling broader data processing than advertised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Embedding general-purpose chat functions inside an audio-processing skill introduces undocumented capability creep. In practice, transcripts or other user content could be routed into a broader text-processing pipeline without clear consent or least-privilege boundaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not warn that user audio, transcripts, prompts, and possibly derived text are sent to the external SkillBoss service. This omission creates a privacy and consent problem, especially for sensitive recordings or transcriptions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference instructs sending user-supplied audio URLs or base64-encoded audio to a third-party API using an API key, but it does not warn that user content will leave the local environment or mention privacy, consent, retention, or third-party processing. In an audio-processing skill, this is especially relevant because audio may contain sensitive speech, copyrighted material, or biometric voice data, so omission of disclosure can lead to privacy and compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal