ClawHub

Music Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible music downloader, but it asks for sensitive account cookies and runs a downloaded background service without enough scoping or safety guidance.

Review before installing. Use only if you trust the upstream go-music-api release channel and are comfortable with a persistent local service under ~/.openclaw. Avoid providing real music-platform cookies unless necessary; treat them like passwords, use temporary values where possible, and remove backend state when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to read and write files, make network requests, and execute shell scripts, but it does not declare any permissions or surface these capabilities clearly as security-relevant actions. That creates a trust and consent gap: users or policy layers may not realize the skill can install software, persist binaries, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented behavior overstates or misstates what the skill actually does, including unsupported Windows installation and undocumented persistence/caching side effects. Security review and user consent depend on accurate behavior descriptions; when a skill installs software, stores media and cache state, or handles cookies differently than advertised, users may be exposed to unexpected execution paths and data handling.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The script records a chosen free port and performs its health check against that port, but it starts the binary without passing the port via argument or environment variable. This can cause the service to bind to its default port instead, creating a mismatch where the script may report failure, leave a background process running, or interact with the wrong local service if another process is already listening on the recorded port.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs downloading audio and writing files under user-controlled paths and runtime directories without an explicit warning or confirmation about filesystem changes. In practice, this causes persistent writes, background installation artifacts, and media creation that a user may not expect from a search/play request.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill tells the agent to accept platform account cookies and send them to a local backend without a strong privacy and security warning. Session cookies are authentication secrets; forwarding them to another process expands the trust boundary and risks account compromise if the backend logs, exposes, mishandles, or transmits them.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs users to submit live authentication cookies to a local HTTP endpoint without clearly warning that these cookies are highly sensitive credentials and may expose account access if intercepted, logged, or mishandled. Although the destination is localhost, plaintext HTTP and example commands increase risk from local malware, proxying, port hijacking, shell history leakage, or users misunderstanding the trust boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to run a PowerShell script with ExecutionPolicy Bypass, which suppresses an important Windows safety control and normalizes executing unsigned local scripts without review. In this skill context, the script also installs binaries, chooses ports, starts a background service, and makes network requests, so the combination of policy bypass plus system-changing actions increases the risk of silent or unsafe execution if the script is modified or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The download workflow omits disclosure that it may automatically install Python via winget and write media files to a user-specified path, both of which are material system changes. In a music-download skill, users may expect file download behavior, but silent dependency installation and filesystem writes still create avoidable risk, especially if an attacker can influence arguments or if the workflow is triggered without clear consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script performs outbound requests to attacker-controlled or untrusted URLs supplied via command-line arguments for lyrics and cover art, with no validation of scheme, host, or destination. In an agent context, this can be abused for SSRF-style access to internal services, unexpected data exfiltration via network side effects, or contacting sensitive local endpoints, making it more dangerous than a normal standalone media utility.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer fetches release metadata from GitHub, downloads a release archive, extracts it, copies out a binary, and executes it without any integrity verification such as a pinned checksum or signature check. In a skill that automatically installs and runs a local backend, this is especially dangerous because compromise of the release channel, repository, or network trust chain could lead to arbitrary code execution on the user's machine.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal