Back to skill

Security audit

whatisxlistening.to

Security checks across malware telemetry and agentic risk

Overview

This Last.fm dashboard package also bundles unrelated workspace materials with plaintext remote-access credentials and high-privilege automation instructions that need review before installation.

Install only if you intend to audit the whole bundled workspace, not just the Last.fm dashboard. The publisher should republish with only the Last.fm files, remove unrelated skills/docs/scripts, rotate all exposed credentials, and add privacy guidance for listening-history backfill and any public dashboard deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (35)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}

def run(cmd):
    return subprocess.run(cmd, shell=True, capture_output=True, text=True).stdout.strip()

def load_config():
    if os.path.exists(CONFIG_PATH):
Confidence
97% confidence
Finding
return subprocess.run(cmd, shell=True, capture_output=True, text=True).stdout.strip()

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README instructs users to expose a local HTTP service in Hammerspoon that can synthesize arbitrary mouse clicks based only on x/y coordinates. That capability is broader than the stated location-reading function and creates a reusable local control surface that other local processes or malware could abuse to drive GUI actions, potentially enabling unintended app interaction or privilege-adjacent abuse.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The code assumes a hard-coded coordinate corresponds to a shared contact and clicks it without verifying the UI state. In a privacy-sensitive app like Find My, this can select the wrong person and expose or process another individual's location information, especially if window layout, scaling, or app state differs from expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
This documentation exposes active remote access details and plaintext credentials, including a VNC endpoint, VNC password, and local account username/password. Even if intended as internal notes, embedding live access secrets in broadly accessible markdown dramatically increases the chance of unauthorized access, lateral movement, and full compromise of the host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes moving the agent's memory into a synchronizing Obsidian vault with real-time propagation to iOS, which expands the exposure surface for potentially sensitive memory contents across devices and services. Without any warning, scoping, or data-classification controls, this creates privacy and confidentiality risk if the mobile device, sync backend, or vault is compromised.

Missing User Warnings

High
Confidence
99% confidence
Finding
This documentation contains what appear to be live CouchDB administrative credentials, the server hostname, database name, and ready-to-run access commands. Publishing reusable admin secrets in a skill or documentation file creates immediate risk of unauthorized database access, data theft, tampering, replication abuse, and wider compromise if the password is reused elsewhere.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented Hammerspoon configuration starts an unauthenticated HTTP server that exposes powerful UI automation primitives such as arbitrary clicks, keystrokes, and key combinations while running with Accessibility privileges. Any local process, and potentially remote hosts depending on Hammerspoon's bind behavior or host networking setup, could abuse this API to drive the user's UI, approve prompts, enter commands, or interact with sensitive applications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions recommend removing the quarantine attribute and approving Gatekeeper and Accessibility permissions without warning that these steps bypass important macOS trust and integrity protections. In combination with a custom automation configuration, this encourages users to weaken system safeguards and grant broad input-control privileges to software that can then automate sensitive UI actions.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script sends caller-supplied JSON arguments directly to a remote API endpoint, including potentially sensitive memory contents, without any confirmation prompt, validation, or user-facing disclosure beyond the source code. In a skill context, this increases the risk of unintended exfiltration of user data to an external service, especially if higher-level tooling invokes the wrapper transparently.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages unattended daily updates of both the core tool and all installed skills, including applying changes automatically via cron. This is dangerous because it expands the trusted update surface to every installed skill and can introduce breaking changes or malicious/compromised upstream releases without user review, rollback planning, or explicit risk warning.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill is written to activate for essentially any user question about Clawdbot, making its trigger scope very broad rather than narrowly constrained to explicit documentation lookup tasks. Overbroad activation increases the chance the skill will intercept unrelated requests, invoke local scripts unnecessarily, and bias the agent toward this skill even when a safer or more appropriate capability should handle the request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes a bulk update command (`clawdhub update --all --no-input --force`) that can modify many installed skills non-interactively and forcibly, but it provides no warning about review, pinning, backups, or trust of the registry source. In a skill-management context, this is dangerous because it normalizes blind mass updates of executable agent capabilities, increasing the chance of supply-chain compromise, incompatible changes, or operational breakage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is explicitly designed to retrieve a shared contact's precise location and capture screenshots, but the documentation does not prominently warn about consent, privacy expectations, retention of screenshots, or safe handling of location data. In this context, the capability is inherently sensitive because it enables street-level tracking of a person and may normalize surveillance-like use without adequate guardrails.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes tracking a shared contact's live location with street-level accuracy and returning address-level data, yet it provides no privacy warning, consent guidance, or limitation language. In this context, the omission is dangerous because the skill operationalizes highly sensitive geolocation surveillance and makes misuse easier, especially when combined with screenshot capture and automated context labeling such as home/work/out.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to grant Accessibility and Screen Recording permissions, which are powerful system-level capabilities that can expose sensitive information far beyond Find My. This is especially risky here because the skill is built to monitor a person's location and capture map screenshots, so elevated permissions materially increase the blast radius of misuse or compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill opens Find My, brings it to the foreground, clicks within it, scrapes accessibility data, and captures a screenshot, all without any user-facing disclosure or consent checks. In the context of a location-tracking skill, this is highly sensitive behavior because it can covertly collect precise location and contextual information about another person.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The run helper silently executes shell commands and discards everything except stdout, with no user disclosure that external tools and OS automation are being invoked. In this skill, those commands control applications and capture local state, so hidden execution increases the chance of covert behavior and makes abuse harder for users to detect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough to match a wide range of ordinary frontend requests, which can cause this skill to activate in many contexts without strong scoping boundaries. Over-broad routing is dangerous because it can override more specialized or safer skills, increasing the chance of inappropriate code generation, prompt collision, or unintended behavior in agent workflows.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill sends a user's Last.fm username and listening-history queries to an external third-party service but does not clearly warn users that their profile-related data and query terms will leave the local environment. While this is expected for an API integration, the missing privacy disclosure can lead to unintentional sharing of behavioral data, which is sensitive in aggregate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "remember" is overly broad for a skill that can persist user-supplied content to a remote knowledge store. It can cause unintended invocation during ordinary conversation, increasing the chance that sensitive or incidental information is drafted for storage or that the assistant shifts into memory-handling behavior when the user did not intend it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs agents to log user corrections, errors, and context to persistent markdown files, but provides no privacy guardrails, redaction rules, or consent checks. This creates a real risk that sensitive user-provided information, secrets, internal paths, or proprietary context will be stored on disk and later reused or committed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill presents a repo-sharing option for `.learnings/` as team-wide knowledge without warning that these files may contain sensitive prompts, error output, stack traces, environment details, or user corrections. If such files are committed, private data can be broadly exposed to collaborators or permanently preserved in version history.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description encourages syncing full Last.fm history to a local database and deploying a dashboard, but it does not warn that this processes potentially sensitive behavioral data and may make it visible to others. Users may unknowingly expose detailed listening habits, timestamps, and identity-linked profile information when following the setup as written.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Documenting `lastfm backfill` as downloading full listening history to a local DB without a warning can lead users to ingest a complete behavioral history without understanding the privacy implications. Even if the data remains local, it increases exposure through device compromise, backups, logs, or later reuse by the dashboard/API.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The deployment instructions describe running a web dashboard over HTTP and exposing a port, but omit any warning that personal listening data may be served to anyone who can reach the service. In practice, users may bind this service on shared hosts, home networks, or public infrastructure and unintentionally disclose current listening activity and history.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
docs/brain-sync-architecture.md:39