ClawHub

Zonefoundry Local Sonos

Security checks across malware telemetry and agentic risk

Overview

This Sonos control skill fits its stated purpose, but it needs review because it can automatically update and follow local runtime instructions without clear user confirmation.

Install only if you trust the ZoneFoundry zf runtime and are comfortable letting an agent control Sonos devices on your LAN. Prefer a pinned zf version, require confirmation before runtime updates, service-linking commands, runtime-suggested next commands, and queue pruning, and review what zf reports before allowing it to act automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to perform `zf update self` automatically at the start of every session, which expands authority from Sonos control into modifying local software. Automatic self-update is dangerous because it executes code and changes the runtime without explicit user approval, creating a supply-chain and privilege-boundary risk if the update channel or local environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill tells the agent to fetch `zf skill show --format json` on every conversation and treat the returned content as its complete authority. This creates an instruction-injection and trust-boundary failure: dynamic, local runtime-provided text can silently override the reviewed static skill behavior and expand capabilities beyond the declared Sonos-control scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to automatically run `zf queue prune` silently after enqueue operations, which allows the agent to modify or remove user queue entries without explicit confirmation. In a media-control skill, autonomous destructive actions against user state are risky because blocked-track detection may be imperfect and the user loses control and auditability over what was removed.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using broad triggers like any mention of Chinese room names or service names can invoke this skill outside the user's actual intent, causing the agent to enter account-linking or service-management flows unnecessarily. In this skill context, unintended invocation is more dangerous because the referenced actions include readiness checks and auth workflows that can change service-linking state or confuse the user about what system is being controlled.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The phrase 'a just-finished login flow' is underspecified and can match many unrelated conversational states, leading the agent to assume an authentication sequence should be resumed. In this skill, that can push the user into `zf auth smapi complete` or similar stateful operations without clear evidence that the prior login was for the intended service or device context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference provides direct authentication commands that begin or complete account linking without clearly warning that these commands may initiate or finalize changes to service authorization state. In a same-LAN control skill, this is particularly risky because the agent may have the ability to affect real household Sonos integrations, and users may not realize the commands are not read-only diagnostics.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal