ClawHub

Clone Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a coherent voice-cloning helper, but it handles sensitive voice recordings without a clear consent and privacy checkpoint before upload.

Review before installing. Use it only for your own voice or a voice you have clear permission to clone, assume recordings and preview requests may be sent to SenseAudio, and use a dedicated API key you can revoke. The skill should add an explicit consent and privacy step before any upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
95% confidence
Finding
This skill handles biometric voice data and directs users to upload recordings to a third-party platform, but it does not clearly warn users that voice samples are sensitive personal data. Missing this notice undermines informed consent and may cause users to share biometric identifiers without understanding privacy, retention, or misuse risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs transmission of user-uploaded audio to an external API for analysis without an explicit privacy notice or consent checkpoint. Because uploaded speech can contain biometric identifiers and sensitive incidental content, silent transmission to a third party creates meaningful privacy and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
When the user uploads an audio file, run the quality check:

```bash
RESULT=$(curl -s -X POST https://api.senseaudio.cn/v1/audio/analysis \
  -H "Authorization: Bearer $SENSEAUDIO_API_KEY" \
  -F "model=sense-asr-check" \
  -F "file=@<AUDIO_FILE>")
Confidence
96% confidence
Finding
https://api.senseaudio.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal