ClawHub

Skill Digico Mixer

Security checks across malware telemetry and agentic risk

Overview

This skill is designed to control professional audio mixers, but it can change live mixer state without built-in safety checks or confirmations.

Install only if you intentionally want an agent to interact with real DiGiCo mixer infrastructure. Limit use to trusted networks and approved operators, verify the target IP and port before any write action, and avoid automated scene, gain, routing, compressor, or snapshot changes unless you add your own confirmation and approval process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly enables remote state-changing operations on production audio equipment, including scene loads, routing, and channel processing changes, but does not document confirmations, dry-run behavior, rollback guidance, or operator warnings. In a live sound context, unintended or automated execution can immediately disrupt broadcasts or performances, making this more dangerous than generic device control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill declares support for automated invocation and even provides cron-style monitoring/automation examples, yet it does not warn that unattended execution against production mixers can issue disruptive control commands or amplify mistakes caused by misconfiguration, stale state, or compromised orchestration. Because this targets core show-control infrastructure, automation without guardrails materially raises operational and safety risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill can issue live remote-control commands that change mixer state without any confirmation, safety interlock, or user-facing warning that operational audio may be affected immediately. In a production or broadcast environment, accidental or unauthorized invocation could disrupt live sound, alter gain structure, or impact safety-critical announcements.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Saving a snapshot writes persistent state on the remote mixer, yet the skill does not warn the user or require confirmation before performing the action. This increases the risk of accidental overwrites, configuration drift, or tampering with stored show-state on a live or shared console.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal