Skillv1.0.0

ClawScan security

Songsee · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 11, 2026, 8:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (running the songsee CLI to render spectrograms), but there is an inconsistency between the registry metadata and the SKILL.md about installation/required binaries that you should verify before installing.
Guidance: What to check before installing: - Confirm the discrepancy: SKILL.md expects the 'songsee' binary and suggests a Homebrew formula (steipete/tap/songsee) even though the registry lists no install/binaries. This likely means the skill will fail unless the binary is present or you install it. - Inspect the Homebrew tap/formula and upstream GitHub repo (https://github.com/steipete/songsee) to ensure the build/install steps are benign and there is no unexpected network or post-install behavior. - If you will install the binary, prefer installing in a controlled environment (container, VM, or sandbox) until you verify it. Review the formula and any downloaded artifacts for unexpected content. - Note ffmpeg is optional for decoding some formats; if ffmpeg is not already trusted on the system, treat it the same way—verify its source. - The skill does not request credentials or access to unrelated files, but be careful not to pass sensitive audio files to tools you haven't vetted. If you need higher assurance, request the skill author provide an explicit install spec in the registry or include a checksum for the binary.

Purpose & Capability: noteThe skill's purpose (generate spectrograms) aligns with the actions in SKILL.md (invoke the songsee CLI on audio files or stdin). However, the registry summary lists no required binaries or install spec, while the SKILL.md metadata explicitly lists 'songsee' as a required binary and suggests installing via Homebrew (steipete/tap/songsee). This mismatch is likely a packaging/metadata oversight but should be confirmed.
Instruction Scope: okSKILL.md only instructs the agent to run the songsee CLI on local audio files or stdin and to use ffmpeg if present for non-native formats. It does not ask the agent to read unrelated files, export credentials, or communicate with unexpected external endpoints.
Install Mechanism: noteThere is no top-level install spec in the registry, but SKILL.md contains metadata recommending installation via a Homebrew formula (steipete/tap/songsee). A brew formula is a typical, low-risk install path, but you should verify the tap/repo is trustworthy (review the formula contents and upstream GitHub repo) before installing.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to its stated purpose of invoking a local CLI tool.
Persistence & Privilege: okThe skill does not request always:true and uses normal agent invocation defaults. It does not request system-wide persistence or modify other skills' configuration.