ClawHub

free-music-generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its music-generation purpose, but it includes an undisclosed callback URL outside Tunee in generation requests.

Install only if you are comfortable using a Tunee API key and sending prompts, titles, and lyrics to Tunee. Before use, review or remove the hardcoded callback_url in scripts/generate.py, confirm each generation before it runs, and use a revocable API key with limited account exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger rules are intentionally expansive: they claim any AI music or lyric request must activate this skill and even instruct the system to prefer it over any other music tool. Overbroad activation can route unrelated or borderline requests into a skill that uses external APIs and account credentials, increasing the chance of unintended data access, unwanted external actions, and tool hijacking within a broader agent environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports checking remaining credits by calling an account-linked API, but the description and trigger text do not clearly disclose that this action accesses user account data. Users may reasonably think they are making a local query rather than authorizing retrieval of account information tied to their API key.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The guide hard-requires 'English keywords only' for prompt construction, even though the skill advertises support for 15+ languages. This can cause users' non-English inputs or preferences to be silently transformed or constrained without consent, leading to exclusion, incorrect output semantics, and policy/compliance issues around user expectation and fair access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends user-supplied prompt, title, and potentially full lyrics to a third-party API, but provides no explicit warning or consent check before transmitting potentially sensitive creative content off-box. In the context of an agent skill that may be auto-invoked for music/lyric requests, this increases privacy risk because users may not realize their text is being shared with an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal