spongo

Security checks across malware telemetry and agentic risk

Overview

This Spotify terminal-control skill is coherent, but it should be reviewed because its default setup imports Chrome browser cookies for authentication.

Install only if you trust the external Spotify CLI tools and are comfortable letting `spogo` read Chrome cookie/session data. Prefer a supported OAuth or device-login flow if available, and review how imported credentials are stored and revoked before running the cookie import command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the user to import browser cookies from Chrome for Spotify authentication, which involves accessing sensitive session data from the browser profile. Even if intended for convenience, encouraging cookie import without any warning, scope limitation, or safer alternative increases the risk of credential/session exposure and normalizes handling authentication artifacts in an unsafe way.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal