ClawHub

Generate Protoss-style (StarCraft) voice effects using SoX and FFmpeg.

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward local audio effect tool that uses ffmpeg and sox, with no evidence of hidden networking, credential access, persistence, or unrelated behavior.

Install only if you are comfortable letting the agent run local ffmpeg/sox commands on selected audio files. Keep backups or ask the agent not to clean up temporary/raw files if preserving source recordings or intermediates matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(cmd_mix, check=True)

        # Step 4: Encode final output (MP3/Original format)
        subprocess.run(
            ["ffmpeg", "-y", "-i", temp_wav_mix, output_path],
            check=True,
            stdout=subprocess.DEVNULL,
Confidence
86% confidence
Finding
subprocess.run( ["ffmpeg", "-y", "-i", temp_wav_mix, output_path], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation clearly instructs execution of local shell commands (`python3`, `ffmpeg`, `sox`) but does not declare corresponding permissions or execution capabilities. That mismatch can bypass user/admin expectations about what the skill is allowed to do, increasing the risk of unintended command execution or unsafe automation in environments that rely on manifest-style declarations for trust decisions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to silently clean up raw or intermediate audio files introduces undisclosed deletion behavior. Even if intended for temporary artifacts, silent deletion can remove user-provided recordings or evidence of processing without consent, which is especially sensitive for personal audio and can lead to data loss or auditability issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal