ClawHub

audio-enhancement-engine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real audio enhancement skill, but running it can automatically download code and modify Python environments beyond what the skill clearly discloses.

Install only if you are comfortable with first-run network downloads and Python environment changes. Prefer running it in an isolated container or disposable virtual environment, review and pin dependency sources first, and use it only on audio files or folders you explicitly intend to process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
    logger.info("🔧 正在修复 setuptools 版本(兼容旧 GitHub 包构建)...")
    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel"
        ])
Confidence
95% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel" ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(["-i", "https://pypi.tuna.tsinghua.edu.cn/simple"])

    try:
        subprocess.check_call(cmd)
        logger.info(f"✅ {spec} 安装/升级完成!")
        
    except subprocess.CalledProcessError as e:
Confidence
98% confidence
Finding
subprocess.check_call(cmd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.warning(f"🔧 正在安装 {install_str} ...")

    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            install_str,
            "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
Confidence
97% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", install_str, "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--quiet"

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.executable, "-m", "pip", "install",
                        "--upgrade", fallback_zip, "--quiet"
                    ]
                    subprocess.check_call(cmd_fallback)
                    logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
                    return
                except subprocess.CalledProcessError as e2:
Confidence
96% confidence
Finding
subprocess.check_call(cmd_fallback)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info("虚拟环境创建成功")

        logger.info("正在升级 pip...")
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

    # ==================== 检查 PyTorch GPU 是否已安装 ====================
    if Path(venv_python).exists() and is_torch_gpu_installed(venv_python):
Confidence
94% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 安装 PyTorch
        logger.info("正在安装 PyTorch(~2-3GB,请耐心等待)...")
        subprocess.check_call([
            str(venv_python), "-m", "pip", "install", "torch", "torchvision", "torchaudio",
            "--index-url", index_url
        ])
Confidence
95% confidence
Finding
subprocess.check_call([ str(venv_python), "-m", "pip", "install", "torch", "torchvision", "torchaudio", "--index-url", index_url ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info("安装 audio-separator CPU 版 + librosa...")
            subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])

        subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
        
        logger.info("✅ 虚拟环境及所有依赖安装完成!")
Confidence
90% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])

        subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
        
        logger.info("✅ 虚拟环境及所有依赖安装完成!")
Confidence
92% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 安装 audio-separator + librosa(你提到的)
        if use_gpu:
            logger.info("安装 audio-separator GPU 版 + librosa...")
            subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
        else:
            logger.info("安装 audio-separator CPU 版 + librosa...")
            subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
Confidence
95% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
        else:
            logger.info("安装 audio-separator CPU 版 + librosa...")
            subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])

        subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
Confidence
95% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares itself as a local audio-processing tool but appears to invoke shell, inspect environment state, and use networked installation flows without declaring permissions. This creates a trust-boundary violation: invoking the skill may trigger code execution and dependency retrieval far beyond simple file processing, increasing supply-chain and host-impact risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a substantial description-behavior mismatch: the skill claims to only process local audio, but the analyzed behavior includes virtualenv creation, GPU/CUDA probing, downloading packages from pip/GitHub, and executing upgrade scripts. Such hidden setup and remote code acquisition materially expand the attack surface and can lead to unreviewed code execution on the host.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README states that VoiceFixer and AudioSR will automatically download models on first run, which contradicts the skill metadata's claim that it runs 'completely locally.' This hidden network behavior can violate user expectations, create supply-chain risk, and bypass environments that only permit offline/local processing.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script advertises fully local audio processing, yet it performs a runtime install from a remote GitHub repository. Pulling and executing code from an external URL during normal operation creates a supply-chain risk: a compromised repo, tag, branch, or transport path could result in arbitrary code execution on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatically installing packages from PyPI and GitHub at runtime gives the skill unnecessary code-fetching and code-execution capability unrelated to processing a provided audio file. Any dependency compromise, typosquatting, or malicious update could execute arbitrary installer or import-time code in the host environment.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file presents itself as part of an audio-enhancement skill, but its actual behavior is a generalized package installer. This mismatch is dangerous because users and reviewers may authorize an audio-processing capability while unknowingly granting code that changes the Python environment and installs arbitrary software.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This module provides arbitrary installation from PyPI, git repositories, and local zip/wheel files, which is not justified by an audio-only enhancement skill. In context, this is more dangerous because the declared skill domain would not reasonably require broad software installation capabilities, increasing the likelihood of hidden supply-chain or execution abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The module changes the host environment on import by force-reinstalling core packaging components. Import-time side effects are especially dangerous because simply loading the skill triggers system modification, making review, containment, and user consent much harder.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation and code behavior are inconsistent: the comments describe an audio-enhancement skill, while the implementation is a dependency installer. This discrepancy undermines transparency and can conceal risky behavior from users, auditors, and automated policy controls.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This is a valid scope-creep finding: the bootstrap installs audio-separator, which introduces source-separation functionality not described in the manifest focused on enhancement, denoising, and super-resolution. In a security review, hidden or unnecessary capabilities matter because they increase attack surface and can violate user expectations about what the skill can do.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This skill is declared as a local audio-enhancement tool, yet the script performs network downloads, package bootstrapping, and forceful PyTorch installation into a Python environment. That behavior materially exceeds the skill's stated purpose and creates supply-chain and environment-integrity risk, especially because it fetches and installs large binary artifacts from the network without any hash or signature verification.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script traverses parent directories to locate a venv, searches /usr/local for shared libraries, changes LD_LIBRARY_PATH, uninstalls existing torch packages, and reinstalls replacements. For an audio-enhancement skill, these host-level discovery and mutation actions are unnecessary and dangerous because they can alter unrelated software environments and make execution depend on attacker-influenced filesystem state.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script logs that it is a 'PyTorch 2.11.0 CUDA 13.0' downloader while the actual wheel URLs target torch 2.9.1/cu129. This inconsistency is a security-relevant trust issue because it obscures what software is really being installed, making operator review and incident response harder and increasing the chance that unexpected binaries are accepted.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises itself as running completely locally, but it performs runtime dependency installation from PyPI and GitHub and may also trigger model downloads on first use. This creates a supply-chain and unexpected network-execution risk: remote code or artifacts can be fetched and executed in the user's environment without prior review, which is especially dangerous for a skill whose expected capability is only local audio processing.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Installing packages at runtime from external sources is an unnecessary capability expansion for an audio enhancement skill, because it allows arbitrary third-party code to enter the execution environment at the moment the skill runs. The direct install from a GitHub repository further increases risk because it bypasses normal review expectations and can change over time, enabling supply-chain compromise or silent behavior drift.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal