ClawHub

Devialet Speaker Control

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to control Devialet and Spotify playback, but it includes under-disclosed desktop automation and Spotify token storage that users should review before installing.

Install only if you are comfortable letting the skill control your Devialet speaker and Spotify playback. Prefer direct Spotify URIs or the scoped API helper over search playback that uses xdotool, protect the Spotify config/token files, revoke the Spotify app token when no longer needed, and use this only on a trusted local network with the correct speaker IP configured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents shell-based execution and network/desktop control capabilities but does not declare corresponding permissions or clearly bound those capabilities. This creates a trust and review gap: users and tooling may approve the skill for simple speaker HTTP control while it can also invoke local shell behavior and related side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest describes a local Devialet HTTP-control skill, but the documentation shows materially broader behavior: Spotify integration, desktop automation via playerctl/xdotool, and additional web/API interactions. This mismatch is dangerous because reviewers and users may consent to a narrowly scoped local-network control tool while the skill can affect online accounts, local desktop state, and external services.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The description omits Spotify search and playback behavior even though the skill prominently advertises playing songs by search/query. Hidden capability expansion can lead users to trigger actions involving third-party services and account-linked playback without informed consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Desktop automation dependencies such as playerctl and xdotool are substantially more powerful than simple speaker HTTP control and can influence local applications/session behavior. Introducing them without clear justification in the manifest increases the risk of unintended local control and weakens user understanding of the skill’s true reach.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script’s scope exceeds simple Devialet speaker control by interacting with the local Spotify desktop session over D-Bus, performing UI automation, and including web-search-based lookup logic. In a skill advertised as speaker control, these extra capabilities increase attack surface and can trigger unintended actions on the user’s desktop or leak user queries externally.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using xdotool to send a Return key to the active X session gives the script the ability to manipulate the local desktop outside the stated purpose of speaker control. If the Spotify window is not focused, the simulated keypress may activate arbitrary UI elements in another application, causing unintended local actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script sends user-provided song queries to Google search, which is unrelated to direct Devialet speaker control and exposes user input to a third party. This is dangerous because it creates unnecessary external data transmission and broadens the skill’s behavior beyond what users would reasonably expect from a local speaker-control tool.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script's functionality materially differs from the declared skill purpose: it performs Spotify OAuth, account/device discovery, search, and playback control against Spotify cloud APIs rather than controlling Devialet speakers via the stated local HTTP API. This scope mismatch is dangerous because it grants third-party account access and network capabilities users would not reasonably expect from a speaker-control skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code introduces OAuth credential loading, token refresh, and persistent token handling for a third-party Spotify account, which is unrelated to the described Devialet speaker-control purpose. In the context of an agent skill, unexpected credential collection and long-lived account access significantly increase the attack surface and the risk of unauthorized account actions or token leakage.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Track search is outside the manifest's stated operations of speaker control and status, and it sends user-provided queries to Spotify's external service. While not inherently malicious, this expands the skill from device control into media discovery and external data transmission without clear disclosure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples encourage routine commands without warning that they will send control requests over the local network to a configured device. Lack of this disclosure can mislead users about where actions are executed and increases the chance of unintended device manipulation on the local network.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs local desktop automation without prominently warning the user that it may inject keystrokes into the active graphical session. This lack of transparency is dangerous because users may invoke a speaker-control command expecting only network playback changes, while the script can affect unrelated local applications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User-provided song queries are transmitted to Google without an explicit warning or consent flow. Even if the content seems low sensitivity, silent external transmission of user input is a privacy and trust issue, especially in a skill presented as local speaker control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes OAuth token material, including a refresh token, to a predictable file in the user's config directory without setting restrictive permissions or clearly warning the user. If the file is readable by other local users, backed up insecurely, or exfiltrated by other software, it can enable persistent unauthorized access to the user's Spotify account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal