ClawHub

Youtube Music

Security checks across malware telemetry and agentic risk

Overview

This YouTube Music skill is mostly purpose-aligned, but its command scripts can turn crafted music queries or video IDs into local shell commands.

Review before installing. Use only with trusted inputs, avoid arbitrary URLs or video IDs, and prefer a patched version that replaces execSync shell strings with structured argument calls, validates YouTube URLs/video IDs, and clearly documents cache storage plus effects on a logged-in YouTube/Google session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill metadata declares no explicit permissions, yet the documentation indicates shell capability requirements via `node` and browser/tool orchestration. Undeclared execution capabilities reduce transparency and can lead users or the platform to grant more power than they realize, especially for a browser-automation skill that may launch processes or interact with local profiles.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The usage documentation advertises capabilities like lyrics display and playlist modification as if they are available, despite the static analysis indicating they are unsupported. In an agent skill, overstated capabilities can mislead users or upstream orchestration into invoking actions the implementation does not safely handle, increasing the chance of fallback behavior, unintended browser automation, or unsafe future extensions being trusted without validation.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation states the skill uses browser automation to control YouTube Music but does not prominently warn that it will drive a browser session and perform actions on the user's behalf. In a browser-automation skill, lack of explicit disclosure can cause users to grant or retain an authenticated session without understanding that the skill can issue playback and account-adjacent actions through that session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The log explicitly promotes direct URL opening, auto-play, and caching of search URLs without any accompanying notice that the skill will trigger browser actions and persist user search activity. In a browser-automation music skill, silent execution and storage of behavioral data can violate user expectations, create privacy issues, and cause unintended playback/actions on the user's behalf.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The migration guide states that the skill auto-upgrades and that cache builds automatically, but it does not warn users that browser automation will occur or that local cache data will be stored as part of normal use. Automatic behavior changes and silent persistence increase privacy and consent risk, especially for a skill that controls media playback through the browser.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README encourages broad natural-language commands like 'pause the music' and 'skip to next track' without defining clear invocation boundaries, confirmation requirements, or namespace constraints. In an agent environment, this can cause unintended activation from ambient text, nearby conversation, or overbroad intent matching, leading to unwanted browser actions against a live YouTube Music session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises 'full playback control via browser automation' but does not clearly warn that using the skill will open/control a browser session and generate live network traffic to YouTube Music. Users may unknowingly grant the skill access to an authenticated browser profile, exposing account state, recommendations, playlists, and session-linked actions they did not expect.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like 'play', 'pause', 'stop', 'continue', 'back', and 'mute' overlap with ordinary conversation and can cause unintended activation. In a browser-automation skill tied to a live user account, accidental invocation can modify playback, queue state, playlists, or other account-associated actions without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not warn users that browser automation may access a signed-in YouTube Music session and alter account state, including playback history, likes, playlists, and queue contents. Missing disclosure undermines informed consent and increases privacy and integrity risk because users may not realize the skill operates with their browser profile and account context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly promotes atomic open-and-play behavior with zero user interaction, which normalizes unattended media actions without any user-consent, confirmation, or safety caveats. In a browser automation skill, this can lead to unexpected audio playback, disruptive behavior, or misuse by downstream agents that treat the documented behavior as safe-by-default.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file documents predictive pre-loading, auto-play enabled by default, and persistent caching across sessions without warning users about retained query/history data or continued automated behavior. In this skill context, persistent browser automation plus retained playback metadata increases privacy and control risks, especially on shared systems or when invoked by other agents.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document advertises smart caching and auto-upgrade behavior without disclosing what data is stored, how long it persists, or that state changes may occur automatically. In a browser-automation skill that handles user media searches and playback behavior, undocumented persistence can expose listening history, create privacy surprises, and make the agent perform unexpected actions across sessions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The natural-language examples use broad, everyday phrases such as 'pause the music' and 'what's playing now?' that are likely to collide with ordinary conversation. In a voice or chat-triggered agent environment, this increases the risk of unintended activation and unauthorized playback actions, especially because the skill controls a live browser session with persistent state.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description advertises broad natural-language control ('Play, pause, skip, search with natural language') without indicating any trigger constraints, confirmation gates, or scope limits. In an agent ecosystem, vague activation language can cause overbroad invocation or misuse by upstream routing logic, increasing the chance the skill is triggered for unintended media-control requests or abused to drive browser automation unexpectedly.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code constructs a shell command string and passes it to execSync using user-influenced values from params, including targetUrl derived from command-line input. Because the values are only wrapped in double quotes and not safely escaped or passed as structured arguments, an attacker can potentially inject shell metacharacters or command substitutions, leading to arbitrary command execution on the host running the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists user search queries to /tmp via a shell command without transparency or safeguards. In a music-control skill, queries can reveal sensitive interests or habits, and /tmp storage may be readable by other local users/processes depending on environment, creating a privacy leak.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal