Security audit

ClawSpotify

Security checks across malware telemetry and agentic risk

Overview

This Spotify control skill appears purpose-aligned, but it asks users to extract and persist Spotify session cookies with insufficient safety controls and relies on an external dependency for that handling.

Review before installing. Use this only if you are comfortable giving the skill and its SpotAPI dependency access to your Spotify browser session. Treat sp_dc and sp_key like passwords: do not paste them into shared terminals, logs, screenshots, or agent transcripts; check permissions on ~/.config/spotapi/session.json; and log out of Spotify sessions or rotate cookies if you think they were exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The usage text exposes a setup flow for capturing and persisting highly sensitive Spotify session cookies (sp_dc and sp_key), but the skill metadata does not disclose this credential-handling behavior. In an agent context, hidden credential collection and local persistence materially changes the trust model because users may invoke a benign-looking playback skill without realizing it stores reusable authentication tokens.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README directs users to extract `sp_dc` and `sp_key` browser session cookies and store them for later reuse, but does not clearly warn that these are sensitive authentication secrets equivalent to account session tokens. In the context of an agent-integrated skill, normalizing manual cookie extraction materially increases the chance of account compromise, credential leakage, and unsafe handling by users or tools.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup instructs users to copy raw `sp_dc` and `sp_key` browser cookies and pass them to the tool, but does not clearly warn that these are highly sensitive authentication secrets equivalent to account credentials. If exposed through shell history, screenshots, logs, process listings, or insecure local storage, an attacker could hijack the user's Spotify session and act as that account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The tool instructs users to supply sensitive browser-derived session cookies and does so without an explicit warning that these values are equivalent to account authentication material and may be persisted locally. In practice, such cookies can enable unauthorized account access if leaked through shell history, logs, screenshots, or local compromise.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup path saves Spotify session credentials to a local session file without presenting a clear safety warning or describing file protection expectations. Persisting reusable session material increases exposure to local attackers, backups, logs, or misconfigured file permissions, especially in shared or multi-user environments.

Ssd 3

High

Confidence: 98% confidence
Finding: These instructions explicitly teach users to retrieve browser session cookies and persist them in a local session file, which exposes reusable authentication material outside the browser's normal protection boundaries. Because session cookies can often act as bearer secrets, anyone who obtains them may be able to access or control the Spotify account until the session expires or is revoked.

Ssd 3

Medium

Confidence: 99% confidence
Finding: Showing raw session secret values directly in command-line examples normalizes passing credentials as shell arguments, which can leak into shell history, process listings, terminal scrollback, logs, screenshots, and agent telemetry. While the example strings are placeholders, the usage pattern encourages unsafe operator behavior with real secrets.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The multi-account and troubleshooting sections continue to instruct users to re-enter or replace session cookies in plaintext commands, reinforcing insecure secret handling across normal and recovery workflows. Repetition in several sections increases the likelihood that users will operationalize unsafe practices and expose valid session material during routine use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.