netease-music-assistant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent NetEase Music assistant, but its scheduling feature can create persistent system cron jobs without enough user control or cleanup guidance.

Review before installing. Use it only if you are comfortable giving the assistant access to NetEase Music listening preferences and local files under ~/.config/ncm. Do not enable scheduled pushes unless you have inspected the exact crontab entry and script path, know how to remove the cron job, and have confirmed any Feishu or other IM destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill directs the agent to inspect and modify system-wide cron entries via `crontab`, which exceeds the normal scope of a music recommendation assistant and creates persistent host-level side effects. If triggered, it could install recurring commands, alter existing scheduled tasks, or be abused as a persistence mechanism on the machine running the agent.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The document first says CLI execution must be delegated to the `netease-music-cli` skill, but later instructs this skill to run system commands itself. This inconsistency weakens trust boundaries and can cause an agent to bypass the intended least-privilege execution layer, increasing the chance of unauthorized command execution.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger conditions include broad natural-language cases like wanting to listen to music or asking for recommendations, which can activate the skill during ordinary conversation without clear user intent. In this skill, accidental activation is more dangerous because activation can lead not just to recommendations but also to file writes, preference analysis, and scheduling actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill tells the agent to update local schedule files and register cron jobs but does not require prominent disclosure that it will modify persistent local configuration and system task scheduling. Hidden persistent changes are risky because users may believe they are making a temporary request while the agent installs recurring automation on the host.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill reads and analyzes up to 200 liked songs, timestamps, tags, artists, albums, and behavioral patterns, then stores a preference profile locally, but it does not require clear privacy notice or consent. This creates privacy risk because the derived profile can reveal habits, moods, routines, and personal taste over time.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The optional Feishu cover-image flow allows downloading external `coverImgUrl` content to a local temporary file and sending it onward without clear user notice. This introduces network and local-write side effects and can expose the environment to untrusted remote content, SSRF-like fetches, or unexpected data handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal