ClawHub

Music Tagger

Security checks across malware telemetry and agentic risk

Overview

This looks like a local music-file tool, but its core tag editing and tag-based organization are simulated while presented as usable, so users could trust results that are not real.

Review this before installing if you need a real music metadata editor. Treat the current version as a demo unless you verify that tag reads and writes persist on test files, use preview mode first, and keep backups before running any batch or organize command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code advertises tag reading and writing, but both functions only print simulated output and return placeholder data. This is dangerous because users will believe metadata edits and organization decisions are based on real file tags when they are not, causing silent integrity issues, misleading previews, and incorrect file organization.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The edit path calls write_tags, but write_tags does not persist anything to disk, so the skill claims to modify metadata while making no actual changes. This creates a high-risk integrity/deception issue because users may rely on edits having been applied, potentially leading to data-management mistakes, repeated manual work, and unsafe downstream automation based on false assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Organization decisions are derived from fabricated placeholder tags rather than actual metadata, so files may be sorted into misleading artist, album, genre, or year folders. In this skill context, that makes the issue materially dangerous because the core function is file organization, and users may end up with incorrectly structured libraries while trusting the preview output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal