ClawHub

DJ set ripper

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but its bulk download and rename workflow can make under-scoped file changes based on untrusted track names, so it needs review before installation.

Install only if you are comfortable with a skill that downloads many media files and renames them on disk. Before use, review the extracted tracklist, run it in a dedicated fresh output folder, and avoid the normalization step unless artist and title values are sanitized to remove path separators and traversal strings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance is broad enough that the skill could trigger on general DJ set or tracklist requests and then begin bulk sourcing and downloads with limited confirmation boundaries. Because the skill performs external fetching, parallel downloads, and filesystem writes, ambiguous triggering increases the risk of unintended high-impact actions from loosely related user prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs bulk downloading into the user's filesystem and then performs a batch renaming pass, but it does not require a clear pre-action warning that files will be created and renamed on disk. This is dangerous because users may not realize the extent of local changes, and fuzzy matching during normalization could misname files or alter an existing directory if the set name or path handling is wrong.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal