ClawHub
Back to skill

Security audit

MusicGenerator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MakebestMusic skill that uses a configured API key to send song prompts and music IDs to the provider for generation and status checks.

Install only if you trust MakebestMusic with your API key and song prompts. Use a revocable or dedicated key, avoid putting private or sensitive material in prompts, and leave MBM_API_BASE unset unless you intentionally want to route requests to another trusted endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes local Node.js scripts and requires an API key, which implies access to environment data and outbound network communication, yet it declares no explicit permissions beyond metadata requirements. This weakens the trust boundary for users and reviewers because the skill can transmit prompts and credentials to an external service without a clear permission declaration.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad and include common language such as 'create a song' and 'generate music', which can cause the skill to activate unintentionally in normal conversation. Unintended invocation can lead to accidental transmission of user prompts to the external music service or unexpected use of the configured API key.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description says it is powered by MakebestMusic, but it does not clearly warn users that their prompts will be sent to an external third-party service for processing. Users may share sensitive creative or personal content without realizing it leaves the local environment, creating a privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal