RoomSound

Security checks across malware telemetry and agentic risk

Overview

RoomSound is a disclosed audio and Bluetooth speaker-control skill, with local setup and speaker changes that fit its purpose but deserve user awareness.

Install only if you are comfortable letting the agent install local audio/Bluetooth packages, play YouTube audio, switch Bluetooth speakers or audio sinks, create ~/.config/yt-dlp/config, and remember speaker aliases/MAC addresses. Ask for confirmation before package installs or persistent config writes if you want tighter control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The guide explicitly tells users that the agent should run technical fixes automatically when failures occur, without stating any approval, visibility, or scope limits. In a skill that can install packages, manage Bluetooth/audio devices, and alter system playback configuration, this can lead to unreviewed system-affecting actions that users did not clearly authorize.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically install packages and write persistent configuration on first use, without requiring clear prior user consent. That creates an unsafe autonomy boundary: a normal playback request could lead to system modification and persistent state changes, which is especially risky in agent environments that may execute shell commands directly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal