ClawHub

Spotify Ads CLI

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a Spotify Ads helper, but it under-describes side effects by calling the CLI read-only while documenting commands that create remote report jobs and suggesting asset or audience management.

Review before installing. Use it only with Spotify Ads accounts where you are comfortable granting reporting access, and require explicit confirmation before commands that create CSV reports or manage audiences/assets. The concern is inaccurate scoping and persistence, not artifact-backed theft or destruction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims the CLI is read-only, but later documents `csv-report` as a POST request that creates a server-side report job. That mismatch is dangerous because users or downstream agents may authorize execution under a false assumption of non-mutating behavior, weakening safeguards around side-effecting operations.

Session Persistence

Medium
Category
Rogue Agent
Content
# Spotify Ads CLI Skill

You have access to `spotify-ads-cli`, a read-only CLI for the Spotify Ads API (v3). Use it to query businesses and ad accounts, pull aggregate and insight reports, create async CSV reports, estimate audience sizes and bid ranges, explore targeting options, manage audiences and assets, and track measurement pixels and datasets.

## Quick start
Confidence
84% confidence
Finding
create async CSV reports, estimate audience sizes and bid ranges, explore targeting options, manage audiences and assets, and track measurement pixels and datasets. ## Quick start ```bash # Check if

Session Persistence

Medium
Category
Rogue Agent
Content
#### CSV report (async)

Create an async CSV report and poll for status.

```bash
# Create an async CSV report (POST request)
Confidence
91% confidence
Finding
Create an async CSV report and poll for status. ```bash # Create an async CSV report (POST request) spotify-ads-cli csv-report acc_abc123 --start 2026-01-01 --end 2026-01-31 spotify-ads-cli csv-repor

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal