ClawHub

Local LRC Editor 专业LRC歌词创作工具

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real LRC lyrics editor, but its local web server is exposed too broadly and allows unauthenticated upload and shutdown actions.

Install only if you are comfortable running a local Flask app that installs Python packages. Before use, bind the server to 127.0.0.1 instead of 0.0.0.0, run it in a virtual environment, sanitize upload filenames, and clear browser storage after editing sensitive lyrics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install_package(package):
    """安装Python包"""
    subprocess.check_call([sys.executable, "-m", "pip", "install", package])

def check_dependencies():
    """检查并安装依赖"""
Confidence
93% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package])

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The documentation describes shell-capable behavior such as running `python start_server.py` and auto-installing dependencies, but no permissions are declared. Hidden or undeclared execution capability weakens user consent and platform enforcement, especially because package installation and service startup can modify the environment and invoke external tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill claims to be a lyrics editor, but the documented behavior also includes a remotely callable shutdown capability and runtime dependency installation. These side behaviors materially change the risk profile: a shutdown endpoint can be abused for denial of service, and automatic pip installs introduce supply-chain and arbitrary code execution risk through package retrieval and installation scripts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A startup script for an LRC editor does not inherently need the ability to install software dynamically, so bundling pip installation into normal execution is an unnecessary privileged capability. This can surprise users, bypass change-control expectations, and expose the host to malicious or tampered dependencies fetched during startup.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `/shutdown` route exposes a server-termination capability over HTTP with no authentication or authorization. Any party that can reach the service can stop it remotely, causing immediate denial of service, and this functionality is unrelated to the advertised LRC editing purpose, which increases suspicion and risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill implements service lifecycle termination behavior that is not described in the manifest or user-facing scope, creating hidden functionality. Undisclosed operational controls are dangerous because they expand the attack surface and may bypass user expectations, review, or deployment controls.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The client explicitly issues a POST request to /shutdown from a normal user-facing page, introducing administrative capability unrelated to LRC editing. If the backend endpoint lacks strong authentication and CSRF protection, any user of the page—or potentially another site via request forgery—could terminate the service, causing denial of service.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The shutdown endpoint performs a destructive action without any authentication, confirmation, or warning, so a simple POST request can kill the service. In a Flask app bound to `0.0.0.0`, this can be exploited by any reachable client, making denial of service trivial.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal