Last.fm

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Last.fm helper, but users should change the documented API URLs to HTTPS before use.

Install only if you are comfortable configuring a Last.fm API key and username for read-only lookups. Before running the examples, replace the documented http:// API URLs with https:// where supported, avoid sharing expanded command lines or logs containing the API key, and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill consistently uses plain HTTP URLs for API requests, which exposes the Last.fm username, API key, and listening-history queries to interception or modification by any network attacker on the path. Even though the endpoints are read-only, this still leaks account identifiers and personal media-interest data and enables tampering with returned content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal