ClawHub

AudioPod

Security checks across malware telemetry and agentic risk

Overview

AudioPod is a documented API helper for audio generation and processing, with expected account-key, billing, and media-upload risks but no hidden or deceptive behavior found.

Install only if you are comfortable giving an agent access to an AudioPod API key that can create billable jobs, view usage and balance, and manage provider-side jobs or voices. Use an environment variable for the key, keep wallet exposure limited, verify the SDK package source, and upload only audio, URLs, transcripts, or voice samples you have permission to send to AudioPod.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation broadens the skill from audio processing into wallet management and billing operations that are not clearly declared in the manifest description. This scope mismatch can mislead users and orchestrators about what the skill may do, increasing the risk of unexpected financial actions or access to billing metadata.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Documenting wallet balance checks, pricing, and usage history without corresponding manifest disclosure creates hidden capability risk. In an agent setting, undeclared financial and account-inspection features can expose sensitive account metadata or enable unintended cost-incurring workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill supports voice cloning, speaker separation, and transcription of uploaded recordings but omits privacy, consent, and data-handling warnings. Because these features process biometric-like voice data and potentially sensitive conversations via a third-party API, users may unknowingly transmit personal or regulated information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal