ClawHub

Music Search

Security checks across malware telemetry and agentic risk

Overview

This music-search skill is mostly coherent, but it needs review because it can crawl arbitrary third-party pages, resolve arbitrary URLs, auto-install a Python dependency, and executes local .env shell content on Bash startup.

Install only if you are comfortable with a music-link crawler that sends search terms to external search tools, fetches third-party pages by default, may return magnet links, and installs cloudscraper into a local .venv on first use. Keep the skill directory and .env trusted, avoid putting secrets in its .env file, avoid @file arguments that point at sensitive files, and run it in a contained environment if your network has access to internal services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes runtime behaviors that require environment access and external networking, including use of environment variables, web crawling, and dependency installation, but it declares no permissions. This undermines informed consent and platform enforcement because an agent may invoke networked or environment-sensitive operations without an explicit capability boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is music resource search, but the file also reveals additional behaviors: resolving arbitrary redirect URLs, returning magnet links, invoking another skill for web search, and automatically creating a Python virtual environment to install cloudscraper. Hidden or under-disclosed behaviors increase the risk of policy bypass, unexpected network access, and unreviewed code execution paths during routine use.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script explicitly extracts and returns BitTorrent magnet links, even though the skill metadata describes cloud-drive music resource search. This broadens the skill from indexing cloud storage links to facilitating access to potentially infringing or unvetted peer-to-peer content, which increases legal, abuse, and policy risk in the context of a music-download skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill automatically creates a Python virtual environment and installs dependencies at runtime, which expands its behavior beyond a simple music-search utility into modifying the host environment and executing package-management actions. This is dangerous because it introduces supply-chain and unexpected code-execution risk without explicit user approval, especially if requirements or package sources are tampered with.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill can fetch arbitrary URLs supplied by the user in resolve and also scrapes third-party pages during deep search, which exceeds the narrow cloud-drive link retrieval described in the manifest. This creates SSRF-like behavior and network exposure, allowing access to internal services or unintended hosts if the skill runs in a privileged network environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill performs live crawling of third-party pages and external network access via a deep-search mode, yet the user-facing description does not prominently warn about this behavior. That lack of disclosure can lead users or operators to invoke the skill without understanding that it will contact untrusted sites, increasing privacy, legal, and supply-chain exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic dependency installation and virtualenv creation occur without a clear warning or consent flow, so running a search can unexpectedly change the local system state and execute installer logic. That is risky because users may not realize the skill is performing package installation, and any compromise in dependency sources could lead to code execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Deep search performs external search queries, page fetching, and scraping, but the interface does not clearly disclose that behavior to the user before execution. This is a security-relevant transparency issue because it broadens data exposure and network activity beyond what a user may expect from a simple search command.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sources a local .env file directly into the shell, which means any shell syntax in that file will be executed, not merely parsed as configuration. If an attacker can modify the skill directory or supply a malicious packaged .env, this becomes arbitrary code execution at script startup and can also expose secrets via exported variables.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal