Music

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local music-tracking helper that writes notes under a dedicated music folder, with no evidence of exfiltration or hidden execution.

Install only if you want an agent to maintain local markdown notes about your music taste, concerts, albums, and related memories under ~/music/. Ask the agent to confirm before first creating files and before saving personal music history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill's activation cues are very broad (e.g., any mention of a song, album, concert, or asking for music), which can cause it to trigger during ordinary conversation and take actions or steer responses without clear user intent to use the skill. In a file-writing skill, over-broad activation increases the chance of unintended data collection or unexpected persistence of personal preferences and events.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs creation of a ~/music/ workspace but does not disclose that it will write to the local filesystem or ask for user consent first. This is dangerous because a user may merely be discussing music, while the agent creates directories or stores personal taste, concert attendance, and memories on disk without explicit authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal