Home Music

Security checks across malware telemetry and agentic risk

Overview

This skill transparently controls local Spotify and Airfoil music scenes, with no evidence of hidden data access or malicious behavior.

Before installing, review the speaker names, playlists, and volume levels, inspect or update the separate spotify-applescript helper path, and consider using a user-local bin directory or explicit home-music commands instead of relying on broad voice-style phrases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase set includes broad, natural-language phrases like "music scene," "party mode," "chill music," and "house music," which are likely to overlap with ordinary conversation or unrelated user requests. In a voice- or chat-activated assistant context, this can cause unintended activation of a skill that controls household audio devices, leading to surprise playback or disruption across multiple speakers.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example invocations such as "Hey, start party mode," "Put on some chill music," and "Stop the music" are extremely generic and reinforce unsafe activation patterns. Because the skill performs real-world actions on Spotify and Airfoil, these broad phrases increase the chance that unrelated user intent or ambient conversation triggers whole-house audio changes unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal