Lu Music Player

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Mopidy music-player helper with disclosed NAS-specific commands, not hidden or automatically executing behavior.

Install only if you intend to manage a Mopidy service. Update the hard-coded IP address, public URL, container name, and music path for your own environment, and require confirmation before restarting containers, scanning the library, or changing file permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad everyday expressions such as '播放音乐', '暂停音乐', '下一首', and '音量', which can cause the skill to activate unintentionally during normal conversation. In a skill that can surface operational instructions and system-management actions, accidental activation increases the chance of unintended service interaction or disclosure of internal service details.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes impactful operational commands like restarting containers, viewing logs, and scanning the music library, but it does not warn users about service interruption, metadata changes, or operational side effects. In practice, presenting such commands as routine troubleshooting steps can lead users or downstream agents to perform disruptive actions without understanding the consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal