ClawHub

Speech De-Noise, Vocal Enhancement

Security checks across malware telemetry and agentic risk

Overview

This skill coherently uploads user-selected media to Modal for cloud GPU speech denoising and downloads enhanced audio, with no evidence of hidden or unrelated behavior.

Install only if you are comfortable sending the selected audio or video files to Modal for cloud processing. Use explicit file selections, confirm directory selections carefully, avoid sensitive recordings unless external processing is acceptable, and run the cleanup step after successful download.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell commands and writes files but does not declare corresponding permissions, creating a transparency and policy-enforcement gap. That makes it easier for a user or host system to underestimate what the skill can do, especially since it uploads local files and downloads processed outputs via CLI commands.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests about improving audio quality, which can cause the skill to activate unexpectedly. In this skill's context that is more dangerous because activation leads to local file handling, remote uploads to Modal infrastructure, and recursive remote cleanup steps.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow instructs the agent to upload local audio or video files to a remote GPU service without a prominent warning in the skill description or trigger surface. This is a significant privacy and data-handling risk because users may reasonably assume a local denoising operation while sensitive recordings are actually transferred off-device.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cleanup step deletes the remote task directory recursively, but the user is not clearly warned that remote copies will be removed in this way. While deletion is generally desirable for privacy, undocumented recursive deletion can cause data loss, hinder recovery, and create confusion if users expect remote outputs or logs to remain available.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal