ClawHub

ControlFoley Audio Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward remote audio-generation helper that sends user-selected prompts and media to Xiaomi's ControlFoley service and saves returned audio/video files locally.

Install only if you are comfortable sending prompts, videos, and reference audio to the Xiaomi-operated ControlFoley service. Use non-sensitive media, choose an output directory intentionally, and review the service's own terms for retention or access policies before processing private or regulated content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API reference explicitly states a remote Base URL and documents uploading prompts, video files, and reference audio, but it does not warn users that this content is transmitted off-device to an external service. This can mislead users into sending sensitive media or text to a third party without informed consent, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uploads a user-specified local video and optional reference audio to a remote service, but it provides no explicit consent prompt or prominent warning at the point of use that local media will be transmitted off-host. In an agent-skill context, this can expose sensitive local files or personal media to a third party if the caller misunderstands the operation or passes unintended paths.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script downloads remote content from service-provided URLs and writes it to disk automatically, without prominent notice or safeguards on filenames. In an agent environment, silent file creation can surprise users, consume disk space, or overwrite expected outputs if remote filenames are malicious or conflicting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal