ClawHub

Apple Music DJ

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it asks for Apple Music account access, can modify playlists, and has under-scoped automation and cron handling that users should review carefully.

Install only if you are comfortable giving the skill Apple Music developer and user tokens that can read personal listening data and modify playlists. Avoid enabling cron automation until the cron command construction is fixed or you have reviewed the generated crontab; use explicit Apple Music requests for write actions, and treat all Apple Music tokens like passwords.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
ids_file = f.name

    try:
        result = subprocess.run(
            [str(SCRIPT_DIR / "build_playlist.sh"), "create", name, description, ids_file],
            capture_output=True, text=True, timeout=60,
        )
Confidence
93% confidence
Finding
result = subprocess.run( [str(SCRIPT_DIR / "build_playlist.sh"), "create", name, description, ids_file], capture_output=True, text=True, timeout=60, )

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README encourages very broad natural-language invocation for a high-privilege skill that can analyze personal listening data and create or modify playlists in the user's Apple Music library. Broad triggers like general Apple Music, playlists, recommendations, or 'DJ' increase the chance of accidental or unintended activation, which can lead to unwanted access to user data or unintended library modifications.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The command table presents many natural-language phrases as if they are all safe and unambiguous, but several are open-ended and overlap with ordinary music conversation. In a skill that supports writes, automation, and profiling, this ambiguity can cause the agent to infer capability use without sufficiently verifying user intent, especially for actions like playlist refresh, cron setup, or account analysis.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list is extremely broad and includes generic terms like "DJ," "mix," "playlist for," and broad music-discussion phrases. This can cause unintended invocation in unrelated conversations, leading the skill to access Apple Music tokens, profile data, or perform playlist/library actions without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Several feature triggers are ambiguous phrases such as "play something," "daily pick," and "new releases," which are common in ordinary conversation and do not reliably indicate consent for profile analysis or playlist creation. In this skill context, ambiguous routing is more dangerous because the skill can read personal listening history, use stored tokens, and write directly to the user's Apple Music library.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions render the Music User Token directly into page content, making a long-lived bearer credential visible in the DOM and easy to copy, screenshot, leak via screen sharing, or capture by browser extensions and local shoulder-surfing. In this skill's context, that token grants access to the user's Apple Music account data and library actions, so exposing it without explicit handling guidance increases the chance of credential compromise.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The troubleshooting step tells users to decode and inspect a developer token directly in the shell, but does not warn that the JWT contents and token itself are sensitive authentication material. In practice this can expose token data via shell history, terminal scrollback, shared sessions, or screen recording, increasing the chance of credential leakage during support or debugging.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the user to copy a Music User Token from the browser console and export it, but do not immediately label it as a secret or warn against sharing it. Because this token grants access to user-specific Apple Music data and actions, accidental disclosure through screenshots, copied console logs, shell history, or support tickets could enable unauthorized access to the user's account-scoped API operations.

Unvalidated Output Injection

High
Category
Output Handling
Content
def set_crontab(content: str) -> bool:
    """Write content as the new crontab."""
    try:
        result = subprocess.run(
            ["crontab", "-"], input=content, capture_output=True, text=True
        )
        return result.returncode == 0
Confidence
92% confidence
Finding
subprocess.run( ["crontab", "-"], input=content, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Cache management:**
- Taste profile cache has a 7-day TTL by default
- Cache can be cleared: `rm -rf ~/.apple-music-dj/`
- Use `--max-age 0` to bypass cache and fetch fresh data

## Scripts
Confidence
67% confidence
Finding
rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Cache management:**
- Taste profile cache has a 7-day TTL by default
- Cache can be cleared: `rm -rf ~/.apple-music-dj/`
- Use `--max-age 0` to bypass cache and fetch fresh data

## Scripts
Confidence
67% confidence
Finding
rm -rf ~/.apple-music-dj/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal