ClawHub

Denon AVR Control

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Denon media-control purpose, but some network file-sharing and process-control behavior is broader than users may realize.

Install only if you are comfortable letting the agent control your Denon receiver and expose chosen music files on your local network. Use a dedicated music-only folder, avoid DLNA push from directories containing private files, verify the bind address and port, and stop the playback/server processes when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises powerful capabilities including file access, network operations, and shell execution, but the skill metadata does not declare permissions or present clear trust boundaries. That makes it easier for an agent or user to invoke functionality with broader access than expected, especially since the skill can scan local media, start HTTP/DLNA services, and control networked devices.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose centers on controlling a Denon receiver and exposing local libraries to it, but the skill also supports direct host-local audio playback and independent playback-state management. This mismatch can mislead users and supervising systems about what the skill may do on the local machine, increasing the risk of unintended process execution, media access, or privacy surprises.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The stop_current function reads a PID from a writable state file in the user's home directory and sends SIGTERM to that PID without verifying that it belongs to the jukebox/player process started by this script. If an attacker or another local process can modify the state file, they can cause this helper to terminate arbitrary processes owned by the same user, turning a media-control utility into a generic process-kill primitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The DLNA server mode exposes user-selected directories and serves their contents over HTTP on the local network, but the documentation does not prominently warn about that exposure. Users may unintentionally share private music libraries or adjacent files to other devices on the LAN without understanding that a discoverable media server is being created.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The experimental DLNA push mode makes a local file reachable by starting a temporary HTTP server on the LAN, but the documentation does not clearly disclose this network exposure. Even if temporary, it can unintentionally reveal local content or create a short-lived service that users and defenders are unaware of.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs the user to start a DLNA/HTTP media server on a LAN and keep it running, but it does not clearly warn that this exposes selected media directories and device metadata to other hosts on the local network. In a home or shared network environment, other devices may discover the service via SSDP and access or enumerate shared content, creating an avoidable privacy and local network exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The --raw option allows arbitrary Denon protocol commands to be sent directly to a network-connected receiver with no validation, restriction, or confirmation. In this skill's context, that means an upstream agent or user prompt can invoke device operations outside the intended safe command set, potentially changing settings, powering zones, or triggering unintended network/device behavior on the local network.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The push flow starts an HTTP server on a network-reachable interface and exposes the selected local file so the receiver can fetch it, but it does so without an explicit warning, consent checkpoint, authentication, or transport restriction. In this skill context, that behavior is core functionality, but it still creates real exposure because other hosts on the local network may be able to access the served file while the server is running, and the user may not realize a local file has been published over HTTP.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The server persists a JSON state file under the user's home directory containing absolute media paths, roots, host/port, PID, and service metadata. That creates an avoidable privacy leak because local filesystem structure and listening service details remain on disk after use, potentially exposing sensitive information to other local users, backups, or later processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill starts an unauthenticated HTTP/DLNA server bound to a LAN address and serves user-selected local audio files to any device that can reach it. In the context of a home media-control skill this behavior is intended, but it still creates a real confidentiality exposure because private media and metadata become discoverable and retrievable across the local network without access control or an explicit warning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal