ClawHub

Klangio

Security checks across malware telemetry and agentic risk

Overview

This Klangio skill is a disclosed OOMOL connector for creating audio-processing jobs and retrieving results, with data-transfer and CLI-install considerations users should understand.

Install this only if you intend to let OOMOL operate your connected Klangio account. Confirm audio uploads and job-creation payloads before running create actions, and treat downloads as transfers into OOMOL OSS transit storage rather than purely local retrieval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description says to use this skill for ANY Klangio request and instead of calling the API directly, which can cause the agent to invoke the skill too broadly whenever Klangio is mentioned. That increases the chance of unintended tool execution, especially because the skill includes state-changing create/update actions and the broad routing language may bypass more precise intent checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The action description states that it downloads a Klangio job result file and uploads it to OOMOL OSS transit storage, but it does not clearly warn users that data will be transferred to a second storage system. This can lead to unintentional exfiltration of sensitive or regulated data, especially if users assume the action only retrieves a file locally or within Klangio.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The action explicitly downloads a source-separated audio stem and uploads it to transit storage, but the documentation gives no warning about data movement, temporary storage, retention, or potential exposure of user-provided audio content. This can lead users to move copyrighted, sensitive, or private audio into another storage domain without informed consent or handling guidance, increasing confidentiality and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal