ClawHub

Spotify Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Spotify helper, but it asks for broader Spotify account access than its visible features need and stores reusable tokens locally.

Review before installing. Only authorize this skill if you are comfortable granting broad Spotify permissions, including playlist/library changes and some profile/follow-related access. Keep config.json private, do not commit or share it, consider trimming unused OAuth scopes before authorizing, and revoke the Spotify app if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares access to environment variables, writes to config.json, and performs network requests to the Spotify API, but no explicit permissions are declared in the manifest. That creates a transparency and policy-enforcement gap: a user or platform may invoke the skill without understanding it can read secrets, persist OAuth tokens, and make external calls on the user's behalf.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The OAuth scope set requests access beyond the core playback and playlist control described in the skill metadata, including library, follow, and profile-related permissions. Overbroad scopes violate least-privilege and increase the blast radius if the skill, host, or stored tokens are compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Requesting user email and private profile access is not clearly necessary for playback control, search, playlist management, recommendations, or listening analysis as described. Collecting unnecessary identity data increases privacy risk and exposes more sensitive account information if tokens are leaked or misused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code requests saved-library and follow modification privileges that are not disclosed in the skill description. This allows the skill to alter the user's library or follow state unexpectedly, creating a trust and integrity risk beyond the user's likely expectations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad terms such as "playlist", "play music", and "what song", which can match ordinary conversation and cause unintended invocation. In context, unintended activation could expose listening data, alter playback, or create/modify playlists without the user clearly intending to use this skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists OAuth tokens into config.json on disk without any visible safeguards, warning, or permission hardening. Local token storage can enable account access by other local users, backup systems, or malware if the file is readable or accidentally shared.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI exposes state-changing operations such as saving tracks and creating, editing, adding to, and removing from playlists with no confirmation, preview, or explicit user-facing warning. In an agent context, ambiguous or adversarial prompts could trigger irreversible or confusing modifications to a user's Spotify library and playlists without the user's informed consent.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Playback-control commands can change the active listening state, device output, queue, volume, and playback target without any disclosure or confirmation. While lower severity than data-destructive actions, this is still risky in an agent skill because a prompt injection or misunderstanding could interrupt playback, switch devices, or alter volume unexpectedly.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal