Spotify

Security checks across malware telemetry and agentic risk

Overview

This Spotify helper matches its stated purpose, but setup asks users to import Chrome browser cookies into a third-party CLI without explaining the credential risk.

Review before installing. Only run the cookie-import step if you trust spogo and are comfortable letting it read Chrome session cookies for Spotify authentication. Consider using a separate browser profile or a documented OAuth/client-id flow if available, and know how to revoke Spotify sessions or remove the CLI’s stored auth state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to import browser cookies into a CLI tool without any warning about the sensitivity of browser session data or the privacy/security implications of extracting cookies from Chrome. Browser cookies can grant account access and may expose active authenticated sessions, so normalizing this action in setup guidance increases the risk of credential misuse or accidental over-collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal