ClawHub

MoodMusic Conversation-Based Music Recommendations

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a lightweight music recommendation helper, with the main issue being vague activation language rather than unsafe behavior.

Install if you want music suggestions based on mood or activity. To avoid accidental use, invoke it explicitly for music recommendations and avoid expecting it to store preferences unless the skill separately documents that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is triggered by broad, undefined conversational context ('reads the vibe') without clear activation boundaries, which can cause it to process unrelated user messages and infer preferences or mood when not explicitly requested. In a conversational agent, this increases the risk of over-collection of sensitive emotional/contextual data and unintended skill activation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description is broad enough that an agent may invoke the skill from loosely related conversational context without clear user intent. Ambiguous activation boundaries can cause inappropriate triggering, unexpected processing of user messages, and prompt-routing mistakes, especially in systems with multiple skills.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase 'reads the vibe' is vague and leaves too much discretion to the agent about when to engage the skill. In a multi-skill or autonomous routing environment, this can expand the skill's scope unexpectedly and lead to unintended handling of ordinary conversation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal