Back to skill

Security audit

Sonos Netease Playback

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Sonos/Netease setup helper that creates a local Python environment, installs the SoCo dependency, and prepares a playback wrapper without hidden data access or privileged behavior.

Install this only if you use Sonos with Netease playback and are comfortable with a local script creating $HOME/.openclaw/venvs/soco-sonos, installing soco with pip, and creating a wrapper in your workspace if one is missing. Review the separate playback Python script you provide or already have, because this package expects that script but does not include it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description says to use the skill whenever an agent needs a reusable workflow to search and play a song, bootstrap dependencies, or restore the environment after migration. This spans several loosely bounded situations and does not provide explicit trigger phrases, exclusions, or constraints, which could cause unintended invocation from general music-playback or environment-repair requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.