ClawHub

Soundcloud

Security checks across malware telemetry and agentic risk

Overview

This SoundCloud skill is mostly purpose-aligned, but it stores account tokens locally and can make real account changes with weak safeguards.

Install only if you are comfortable giving this skill SoundCloud API credentials and letting it cache OAuth tokens locally. Prefer a low-privilege or temporary SoundCloud app, avoid non-expiring or wildcard tokens, review the token files under ~/.cache/soundcloud, and require explicit human confirmation before playlist deletion, playlist replacement/removal, likes, follows, or batch account changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises shell and network-capable behavior but does not declare corresponding permissions or trust boundaries. That mismatch can hide the real execution capabilities from users or policy controls, increasing the chance of unintended external access or command execution through this skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states the token cache is "encrypted at rest on disk," but the surrounding documentation only describes local file storage protected by `chmod 600`. File permissions restrict access but do not provide encryption, so this claim can mislead users into storing OAuth tokens under a false assumption of stronger protection. For a skill handling API secrets and user tokens, inaccurate security claims increase the chance of credential exposure on compromised hosts or backup systems.

Scope Creep

Low
Confidence
85% confidence
Finding
The documentation recommends loading secrets from local .env files and persisting refreshed tokens to token.txt, which expands credential handling beyond the manifest's declared model. That can lead to accidental secret sprawl, insecure storage on disk, and agent behaviors that read or modify local credential files without explicit user awareness.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document correctly says to use a CSRF-protecting state parameter, but the example flow never validates the returned state before exchanging the authorization code. In an OAuth authorization-code flow, failing to verify state can let an attacker inject or swap authorization responses, causing account confusion or unauthorized token binding.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough to match many generic music-related requests, which can cause the agent to invoke this skill outside narrowly intended SoundCloud tasks. Over-broad routing is dangerous here because the skill supports authenticated write actions such as likes, follows, playlist creation, and deletion.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The reference documents authenticated /me endpoints that can expose private tracks, playlists, and favorites, but gives no warning about privacy impact or the need to minimize collection. In an agent skill context, this increases the chance that future implementations will retrieve sensitive user data more broadly than necessary or without clear user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The delete-playlist endpoint is a destructive authenticated action, yet the documentation provides no warning that it permanently changes user account state. In an agent setting, omission of such warnings can lead to accidental or unauthorized destructive actions if implementers treat the reference as sufficient operational guidance.

Missing User Warnings

Low
Confidence
84% confidence
Finding
These endpoints perform state-changing actions such as liking, unliking, following, unfollowing, and reposting on behalf of the user, but the reference does not warn that they create public or account-visible side effects. In an agent workflow, that omission can cause implementers to expose actions that modify the user's public profile or preferences without clear confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The token rotation example transmits client credentials and refresh tokens, then writes the new access token to a local file, without warning about plaintext secret exposure or unintended credential modification. In an agent setting, this normalizes handling secrets in ways that can leak them to disk, backups, or other local processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The logging example records full endpoint values and a partial client identifier, which can leak query parameters, resource identifiers, and authentication-related metadata into logs. If URLs ever contain sensitive values, those logs become a secondary disclosure surface that is often broadly retained and accessible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide recommends non-expiring tokens for most applications and even suggests wildcard access as if it were least privilege, which is the opposite of secure OAuth design. This encourages overbroad, long-lived access that increases blast radius if tokens are stolen or mishandled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints a shell export example containing the first portion of the OAuth access token, which unnecessarily exposes a sensitive credential to terminal history, logs, screen recordings, and shoulder-surfing. Even partial token disclosure is poor secret-handling practice and increases the chance of accidental leakage in shared or monitored environments.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script persists user access and refresh tokens to disk in a predictable cache location. Although it applies chmod 600, storing long-lived OAuth material locally increases exposure if the host is compromised, backed up insecurely, or shared, and the script does not clearly warn the user that tokens will be retained.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script can replace or remove playlist tracks through --set-tracks and --remove-tracks without any interactive confirmation, dry-run mode, or prominent destructive-operation warning. In a skill that performs authenticated write actions against a live SoundCloud account, this creates a real integrity risk because a mistaken or induced invocation can irreversibly alter user playlists.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- **For most applications:** Use `non-expiring` scope
- **For read-only apps:** No scope needed (client_id only)
- **For specific permissions:** Use wildcard `*` (least privilege)

## Token Management
Confidence
96% confidence
Finding
permissions:*

Excessive Permissions

Low
Category
Privilege Escalation
Content
- **For most applications:** Use `non-expiring` scope
- **For read-only apps:** No scope needed (client_id only)
- **For specific permissions:** Use wildcard `*` (least privilege)

## Token Management
Confidence
95% confidence
Finding
permissions:*

Credential Access

High
Category
Privilege Escalation
Content
read -sp "Enter SoundCloud Client Secret: " client_secret
echo

# Save to .env file
cat > .env << EOF
SOUNDCLOUD_CLIENT_ID=$client_id
SOUNDCLOUD_CLIENT_SECRET=$client_secret
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo

# Save to .env file
cat > .env << EOF
SOUNDCLOUD_CLIENT_ID=$client_id
SOUNDCLOUD_CLIENT_SECRET=$client_secret
EOF
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo "Add to your environment:"
    echo "export SOUNDCLOUD_ACCESS_TOKEN=\"$ACCESS_TOKEN\""
    
    # Save to .env file
    echo "SOUNDCLOUD_ACCESS_TOKEN=$ACCESS_TOKEN" >> .env
    if [ -n "$REFRESH_TOKEN" ]; then
        echo "SOUNDCLOUD_REFRESH_TOKEN=$REFRESH_TOKEN" >> .env
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo "export SOUNDCLOUD_ACCESS_TOKEN=\"$ACCESS_TOKEN\""
    
    # Save to .env file
    echo "SOUNDCLOUD_ACCESS_TOKEN=$ACCESS_TOKEN" >> .env
    if [ -n "$REFRESH_TOKEN" ]; then
        echo "SOUNDCLOUD_REFRESH_TOKEN=$REFRESH_TOKEN" >> .env
    fi
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Save to .env file
    echo "SOUNDCLOUD_ACCESS_TOKEN=$ACCESS_TOKEN" >> .env
    if [ -n "$REFRESH_TOKEN" ]; then
        echo "SOUNDCLOUD_REFRESH_TOKEN=$REFRESH_TOKEN" >> .env
    fi
    
    echo ""
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo "Authentication Successful!"
    echo "========================================="
    echo ""
    echo "Access Token: ${ACCESS_TOKEN:0:20}..."
    if [ -n "$REFRESH_TOKEN" ]; then
        echo "Refresh Token: ${REFRESH_TOKEN:0:20}..."
    fi
Confidence
83% confidence
Finding
Access Token

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Create a new playlist (requires user token).

```bash
./scripts/create_playlist.sh "Playlist Name" [--description "text"] [--tracks "id1,id2"] [--sharing public|private] [--genre "genre"] [--tags "tag1,tag2"] [--no-confirm]
```

#### `scripts/update_playlist.sh`
Confidence
85% confidence
Finding
--no-confirm

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal