Oathe Security Badge

Is 2771096196/music-manager safe?

https://clawhub.ai/2771096196/music-manager

76
CAUTION

This music manager skill provides legitimate functionality for downloading audio from YouTube and Bilibili, but contains moderate security risks due to subprocess execution with user input and external tool dependencies. No evidence of malicious intent or actual data exfiltration was found.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Command injection risk in subprocess execution -25

The download_music.py script executes yt-dlp via subprocess.run() with user-provided search terms. While using list format provides some protection, there may still be risks from yt-dlp argument injection.

LOW External tool dependency and execution -15

The skill relies on downloading and executing external tools (yt-dlp, ffmpeg) which could introduce supply chain risks if these tools are compromised.

LOW Network connections during installation -15

Multiple network connections were observed during installation to external hosts including clawhub.ai and 216.150.1.1, which is expected behavior but worth noting.

INFO Legitimate music downloading functionality -25

The skill provides legitimate music downloading capabilities from YouTube/Bilibili but could potentially be misused as a general command execution vector due to subprocess usage.