last.fm

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Last.fm API reference skill with expected third-party API use and no executable or hidden behavior.

Safe to install as a Last.fm API reference. Use a dedicated API key when possible, avoid sharing the key in logs or chats, and only query user profiles or listening history when you are comfortable sending that username and request to Last.fm.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents multiple user-oriented Last.fm endpoints, including `user.getInfo`, `user.getRecentTracks`, and other listening-history queries, but does not warn that supplied usernames and music-profile queries will be transmitted to a third-party service. This can create a privacy and consent issue because users may not realize their identifiers and request context are being sent externally, especially for profile and listening-history lookups.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal