Sonos Announce

Security checks across malware telemetry and agentic risk

Overview

This Sonos announcement skill is generally purpose-aligned, but it uses unsafe shell commands to start a media server and can leave or kill local processes in ways users should review first.

Review carefully before installing. Use only trusted, simple local media paths; avoid pointing media_dir at private directories; confirm the configured port is not used by another service; and prefer a fixed version that replaces shell commands with subprocess calls using argument lists, validates paths, binds narrowly, and stops only the server process it started.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: print(f"Starting HTTP server from {media_dir}...") if platform.system() == "Windows": # Start server and save PID to file os.system(f'start /b python -m http.server {HTTP_PORT} --directory "{media_dir}"') # On Windows, we can't easily get the PID of start /b, so just track by port # The stop_http_server will use port-based killing as fallback else:
Confidence: 98% confidence
Finding: os.system(f'start /b python -m http.server {HTTP_PORT} --directory "{media_dir}"')

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # The stop_http_server will use port-based killing as fallback else: # Use nohup to ensure it persists and save PID os.system(f'nohup python3 -m http.server {HTTP_PORT} --directory "{media_dir}" > /tmp/sonos_http.log 2>&1 &') # Save PID for clean shutdown time.sleep(1) # Find the PID by port and save it
Confidence: 99% confidence
Finding: os.system(f'nohup python3 -m http.server {HTTP_PORT} --directory "{media_dir}" > /tmp/sonos_http.log 2>&1 &')

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: except: pass else: os.system(f"lsof -ti:{HTTP_PORT} | xargs kill -9 2>/dev/null") os.system(f"pkill -9 -f 'python3 -m http.server {HTTP_PORT}' 2>/dev/null")
Confidence: 96% confidence
Finding: os.system(f"lsof -ti:{HTTP_PORT} | xargs kill -9 2>/dev/null")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: pass else: os.system(f"lsof -ti:{HTTP_PORT} | xargs kill -9 2>/dev/null") os.system(f"pkill -9 -f 'python3 -m http.server {HTTP_PORT}' 2>/dev/null") def is_external_input(uri):
Confidence: 95% confidence
Finding: os.system(f"pkill -9 -f 'python3 -m http.server {HTTP_PORT}' 2>/dev/null")

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if platform.system() == "Windows": # Use netstat to find and kill the process on the port try: result = subprocess.run( f'for /f "tokens=5" %a in (\'netstat -aon ^| findstr :{HTTP_PORT} ^| findstr LISTENING\') do taskkill /f /pid %a', shell=True, capture_output=True, text=True )
Confidence: 92% confidence
Finding: result = subprocess.run( f'for /f "tokens=5" %a in (\'netstat -aon ^| findstr :{HTTP_PORT} ^| findstr LISTENING\') do taskkill /f /pid %a', shell=True, capt

subprocess module call

Medium

Category: Dangerous Code Execution
Content: time.sleep(1) # Find the PID by port and save it try: pid = subprocess.check_output(f"lsof -ti:{HTTP_PORT}", shell=True).decode().strip() with open(PID_FILE, 'w') as f: f.write(pid) except:
Confidence: 94% confidence
Finding: pid = subprocess.check_output(f"lsof -ti:{HTTP_PORT}", shell=True).decode().strip()

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation and metadata indicate capabilities including environment access, file I/O, network exposure, and shell/process control, but no explicit permissions are declared. This creates a transparency and trust problem: consumers may invoke the skill without understanding that it can read local files, expose them over HTTP, and manage local processes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared purpose focuses on Sonos announcement playback and state restoration, but the documented behavior also includes starting a local HTTP server, killing processes on a port, probing local files, and auto-detecting/broadcasting a LAN-reachable host address. Those additional behaviors materially expand the attack surface and can expose local media or interfere with unrelated services if not clearly disclosed and constrained.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill can start a local HTTP server and forcibly kill local processes by PID/port/pattern, which is a capability broader than simple audio announcement playback. In a home automation/agent setting, that creates avoidable host-level control that could disrupt unrelated software or be repurposed if exposed through higher-level automation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes serving local audio files over an HTTP server but does not warn that this makes media reachable over the local network. Without clear disclosure and safeguards, users may unintentionally expose private audio files or sensitive filenames/paths to other devices on the LAN.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code forcefully terminates processes with `kill -9`, `taskkill /f`, and `pkill -9` without explicit user confirmation or careful ownership checks. In context, this can abruptly stop unrelated services and increase operational risk, especially if the configured port overlaps with another application.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal