ClawTune 抓音是一款可以给你带来 AI 音乐的技能，包括听歌和创作。

Security checks across malware telemetry and agentic risk

Overview

The skill’s music workflow is coherent, but it needs review because it stores and can print persistent authentication tokens while sending personal creative prompts to a remote service.

Install only if you are comfortable with ClawTune sending your music requests, lyrics, story details, and order metadata to its server and storing local access/refresh tokens under your OpenClaw directory. Avoid using the auth print mode in shared logs or transcripts, and treat generated token files as secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs use of shell scripts, file read/write, state storage, and HTTP/API actions, yet no declared permissions are present. This creates a privilege-transparency gap: the host or reviewer may underestimate what the skill can do, while the skill is designed to perform authenticated actions, persist state, and access local resources.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script provisions and refreshes authentication tokens, persists them locally, and manages installation identity, which is materially broader than the declared skill purpose of generating playlists or turning inspiration into songs. That mismatch increases supply-chain risk because the skill gains durable authenticated capability unrelated to the user-facing music function, making hidden account linkage or backend access possible.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The print mode outputs the full auth record, including access and refresh tokens, to stdout after ensuring valid credentials exist. This can leak long-lived credentials into terminal history, logs, parent process capture, or other telemetry, enabling unauthorized reuse of the account/session.

Vague Triggers

High

Confidence: 91% confidence
Finding: The trigger description is very broad, covering common conversational situations like wanting background music, expressing emotions, giving gifts, commemorating events, or asking for playlists. Such expansive matching can cause unintended invocation in ordinary chats, leading the assistant to steer users into this skill when they did not request it and potentially initiate order-creation or recovery flows too aggressively.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The playbook explicitly instructs the agent to read credential files from the local filesystem and persist session/order identifiers, but provides no consent, disclosure, or data-minimization guidance. In an agent setting, local files and persisted identifiers are sensitive because they can expose authentication material and long-lived linkage data without the user's awareness.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The playbook directs the skill to send authenticated requests to a remote service for playlist generation, draft creation, and ordering, yet it does not require any user-facing notice that prompts, creative intent, and related metadata may be transmitted off-platform. Because this skill is designed to capture emotional context, gifts, memorials, and stories, the transmitted data may be unusually personal and privacy-sensitive.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples transmit potentially sensitive user-provided content and identifiers, including free-text lyrics/story context, user_ref, skill_session_id, and playlist linkage, to a remote service without any privacy notice, minimization guidance, or consent boundary. In this skill context, users are explicitly encouraged to share emotions, gifts, anniversaries, and personal stories, which makes silent transmission of intimate content more privacy-sensitive than a generic API example.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document includes authentication flows and instructs users to export access, installation, and refresh tokens into shell environment variables without any warning that these values are sensitive credentials. This increases the risk of accidental disclosure through shell history, process inspection, logs, screenshots, or copied terminal sessions, especially because refresh tokens can prolong unauthorized access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently performs remote bootstrap/refresh calls and writes credential material to disk without any user-facing notice, consent flow, or disclosure. In the context of a music-oriented skill, this hidden credential lifecycle is unexpected and increases the chance users and operators will not realize persistent authentication artifacts are being created.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal