ClawHub
Back to skill

Security audit

audio-segmenter

Security checks across malware telemetry and agentic risk

Overview

This audio-splitting skill appears to do its advertised job, but it also automatically changes Python environments and downloads tools without a clear consent boundary.

Install only if you are comfortable with the skill creating or modifying a Python environment, installing packages, downloading FFmpeg, writing logs, and generating many output audio files. Prefer running it in an isolated environment, preinstalling verified dependencies, and confirming exact input and output paths before recursive folder processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 🔥 关键:自动输入 Y(默认 yes),彻底无交互
        logger.info("   自动确认下载中...")
        subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)
        
        # 下载完后刷新模块
        importlib.reload(ffdl)
Confidence
92% confidence
Finding
subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
    logger.info("🔧 正在修复 setuptools 版本(兼容旧 GitHub 包构建)...")
    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel"
        ])
Confidence
85% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel" ])

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
# 第一步:尝试 import 检查(最快)
    try:
        parts = import_name.split('.')
        mod = __import__(parts[0])
        for part in parts[1:]:
            mod = getattr(mod, part)
        if sub_import:
Confidence
74% confidence
Finding
mod = __import__(parts[0])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(["-i", "https://pypi.tuna.tsinghua.edu.cn/simple"])

    try:
        subprocess.check_call(cmd)
        logger.info(f"✅ {spec} 安装/升级完成!")
        
    except subprocess.CalledProcessError as e:
Confidence
96% confidence
Finding
subprocess.check_call(cmd)

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
# ==================== 1. 检查是否已安装 + 版本是否满足 ====================
    try:
        __import__(import_name)
        
        # 尝试获取当前版本
        try:
Confidence
71% confidence
Finding
__import__(import_name)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.warning(f"🔧 正在安装 {install_str} ...")

    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            install_str,
            "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
Confidence
94% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", install_str, "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--quiet"

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.executable, "-m", "pip", "install",
                        "--upgrade", fallback_zip, "--quiet"
                    ]
                    subprocess.check_call(cmd_fallback)
                    logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
                    return
                except subprocess.CalledProcessError as e2:
Confidence
95% confidence
Finding
subprocess.check_call(cmd_fallback)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info("虚拟环境创建成功")

        logger.info("正在升级 pip...")
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

    # ==================== 检查 PyTorch GPU 是否已安装 ====================
    # if Path(venv_python).exists() and is_torch_gpu_installed(venv_python):
Confidence
91% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README presents the skill as an audio slicer, but it also declares capabilities to auto-create environments, install dependencies, and silently download FFmpeg binaries. That expands the trust boundary from local file processing to network access and system modification, which is security-relevant behavior users should be clearly told about before execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A silent FFmpeg download is a meaningful capability because it retrieves and executes or relies on externally sourced binaries, which introduces supply-chain and consent risks. In the context of a simple audio-splitting skill, this is more dangerous because users may reasonably expect only local processing, not background network retrieval of executables.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill silently installs Python packages at runtime, which exceeds the declared behavior of processing local audio files and introduces hidden network access and code execution through package installation. This is dangerous because package repositories, transitive dependencies, or installer behavior can change over time, creating a supply-chain risk in a tool the user expects to only manipulate local files.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The function automatically downloads an external ffmpeg binary and installs it when missing, giving the skill network-enabled software acquisition and execution capabilities not justified by its stated purpose. In an agent environment, this is particularly risky because it enables unreviewed binary retrieval and subsequent use, increasing exposure to supply-chain compromise, unexpected privilege interactions, and policy bypass around software installation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a general-purpose package installer despite the skill being declared as an audio segmenter. This mismatch is a strong indicator of hidden capability and materially increases suspicion because the code can alter the environment in ways unrelated to the advertised function.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code performs pip-based environment modification and subprocess execution immediately in a module intended for an audio-splitting skill. The context makes it more dangerous, not less, because arbitrary installation and execution are unnecessary for segmenting audio and can be abused for supply-chain compromise or host tampering.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Supporting git+ URLs, direct URLs, wheels, and zip archives turns the skill into a flexible package acquisition mechanism. In this skill context that is highly suspicious because it provides a path to fetch and execute arbitrary third-party code far beyond the declared audio-processing scope.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The embedded documentation explicitly describes an 'intelligent Python package installer,' which contradicts the manifest's stated purpose. Documentation mismatch alone is not exploitation, but here it corroborates that the file's true function is undeclared environment manipulation.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file's documented purpose is environment bootstrapping and dependency deployment, not audio segmentation. This mismatch is dangerous because it hides privileged setup behavior behind an innocuous skill identity, reducing user ability to make informed trust decisions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Creating virtual environments, installing packages, and launching subprocesses are powerful capabilities that exceed the minimum needed for audio splitting with ffmpeg. In this skill context, these behaviors materially increase attack surface and can be abused for unauthorized software installation or execution under the user's account.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation explicitly states that it performs environment enforcement, GPU probing, and automated dependency installation, which contradicts the skill's presented purpose. This is a transparency and trust issue that can mask risky behavior from users and reviewers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes automatic dependency installation and silent FFmpeg download without clearly warning users that the skill may perform network activity and modify the local environment. Lack of disclosure undermines informed consent and increases the chance that users run code that changes their system state unexpectedly.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Overly broad triggers like '切片' and '分段' can cause the skill to activate for unrelated user requests, leading to unintended shell execution or file operations in the wrong context. In this skill, that matters more because activation may cascade into environment setup, package installation, and filesystem writes, so a mistaken trigger has nontrivial side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description does not clearly warn that the skill will create output directories/files and may automatically install ffmpeg. This is risky because users may expect a simple local transformation but instead trigger host changes and software installation without clear advance notice or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal