ClawHub

Spotify History

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Spotify account integration, but users should understand it stores local Spotify credentials/tokens and can access private listening data through OAuth.

Install only if you are comfortable granting OAuth access to your Spotify listening and preference data. Check the requested Spotify scopes, know where the client secret and token files are stored, keep those files private, and revoke the Spotify app authorization if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The undocumented 'json' command allows callers to query arbitrary Spotify API endpoints, expanding the skill beyond its stated listening-history and recommendation purpose. In an agent setting, this broadens account data access and may expose profile, library, playlist, or other Spotify data that users would not reasonably expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Arbitrary endpoint querying is not necessary to deliver recent plays, top artists/tracks, or recommendations, so it materially increases the accessible attack surface and potential privacy exposure. In the skill context, this mismatch between declared functionality and actual capability makes misuse by a calling agent more likely.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README suggests natural-language phrases like 'What have I been listening to?' and 'Who are my top artists?' as triggers for the skill. In an agent environment, these overlap with ordinary conversation and can cause unintended invocation of a capability that accesses private Spotify account data, especially if invocation is based on loose intent matching.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises access to listening history, top artists, and recommendations derived from a user's Spotify account, but does not prominently warn that this involves privacy-sensitive personal data and OAuth-based account access. Users or integrators may underestimate the sensitivity of playback history and preference data, leading to uninformed consent and overbroad use in agent workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script collects a Spotify client secret interactively and writes it in plaintext JSON to a workspace-local credentials file. Although it sets restrictive permissions afterward, storing long-lived secrets on disk without an explicit warning or stronger protection increases the risk of accidental disclosure through backups, misconfigured file sharing, or workspace access by other local processes/users.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
OAuth token data, including refresh tokens, is written to disk in plaintext under the user's home directory without any permission hardening or secure storage mechanism. If another local user, process, backup system, or malware can read that file, long-lived Spotify access can be stolen and reused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script stores OAuth token data, likely including a refresh token, on disk without a clear user-facing warning or consent prompt about persistent credential storage. Even though file permissions are restricted to 0600, local compromise, backups, sync tools, or accidental disclosure of the token file could expose long-lived access to the user's Spotify account data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal