Back to skill

Security audit

Spotify History

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Spotify integration, with privacy-sensitive local token storage and a broader Spotify API helper users should understand before installing.

Install only if you are comfortable granting Spotify account access for listening history, top items, recommendations, and possibly current playback data. Keep the client secret and ~/.config/spotify-clawd/token.json private, avoid entering the secret while screen sharing, and revoke the Spotify app authorization plus delete local credentials/tokens when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs users to run shell scripts, read environment variables and files for credentials, write tokens and credential files, and access the network, but it does not declare those permissions up front. This weakens informed consent and makes the real security boundary of the skill less visible to users and reviewers, especially because it handles secrets and persistent OAuth tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is limited to listening history, top artists/tracks, and recommendations, but the documented json mode permits arbitrary Spotify Web API endpoint access and the required scopes include playback-related permissions not reflected in the summary. This creates a material mismatch between user expectations and actual capability, increasing the risk of over-collection of account data and misuse of the granted OAuth token.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Exposing a raw API mode for any Spotify endpoint expands the skill from a narrowly scoped history/recommendation helper into a general-purpose account data access tool. In context, this is more dangerous because users are likely to authorize the skill believing it only reads limited listening insights, while the documented interface supports broader data retrieval.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The required scopes include playback-state and currently-playing access even though the skill is presented primarily as a history and recommendations tool. While read-only, these scopes still expose additional behavioral data and contribute to unnecessary privilege beyond the documented core use case.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The `json` command permits raw access to arbitrary Spotify API endpoints, expanding capability beyond the declared purpose of listening history, top items, and recommendations. In an agent-skill context, this can expose additional account/profile/library data under the same OAuth grant and weakens least-privilege expectations for users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing arbitrary endpoint selection through command-line input creates a generic Spotify API proxy rather than a narrowly scoped history/recommendation helper. Even if not malicious, this broad querying ability can be misused by downstream agents to retrieve unrelated personal data without a corresponding product need.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The module docstring describes only listening history and recommendations, but the code exposes general endpoint access via the `json` command. This mismatch can mislead reviewers and users about the actual data-access surface, reducing transparency and making overbroad access harder to detect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The requested OAuth scopes include user-read-playback-state and user-read-currently-playing, which go beyond the stated purpose of history, top artists/tracks, and recommendations. Requesting broader scopes than necessary violates least privilege and grants access to more sensitive live playback information than users would reasonably expect from the skill description.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that the agent will fetch and analyze a user's Spotify listening history and taste profile, but it does not warn users that this is personal behavioral data or clarify whether it may be exposed to the agent, logs, or downstream systems. This creates a real privacy risk because users may authorize access without understanding the sensitivity of their listening history or how the data will be handled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explains how to store Spotify client credentials and persistent access tokens, but it does not clearly warn users that granting access exposes personal listening history and related account activity. Because the skill persists OAuth material locally, insufficient privacy disclosure can lead users to authorize sensitive account-data access without understanding the retention and exposure implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads the Spotify Client Secret using a normal `read -p`, which echoes the secret to the terminal and offers no explicit warning that sensitive data is being captured and written to disk. This increases the chance of shoulder-surfing, terminal logging/history exposure, or accidental disclosure during screen sharing, especially because the skill is specifically designed to collect OAuth credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
OAuth tokens are stored persistently in a predictable file under the user's home directory without any permission hardening or encryption. If local filesystem access is obtained by another user, process, or backup/sync tool, the tokens could be reused to access the user's Spotify data until revoked or expired.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The script stores OAuth token data, likely including a refresh token, in a persistent file under the user's home directory. Although permissions are restricted to 0600, these tokens can still be abused by anyone who gains access to the user account, and the script does not explicitly warn the user before persisting them.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.