whatisxlistening.to

Security checks across malware telemetry and agentic risk

Overview

This Last.fm dashboard package also contains unrelated personal workspace files, exposed credentials, and high-privilege automation instructions that users should review before installing.

Do not install this package as-is unless you intentionally want the entire bundled workspace and have audited it. The Last.fm dashboard code itself looks mostly purpose-aligned, but the package should be republished with only the Last.fm skill files, all exposed credentials removed and rotated, and unrelated automation/sync/location-tracking materials excluded or separately reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (40)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: } def run(cmd): return subprocess.run(cmd, shell=True, capture_output=True, text=True).stdout.strip() def load_config(): if os.path.exists(CONFIG_PATH):
Confidence: 96% confidence
Finding: return subprocess.run(cmd, shell=True, capture_output=True, text=True).stdout.strip()

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This document exposes live administrative CouchDB credentials, the database name, and the reachable server endpoint directly in documentation. Anyone with access to the file can use those secrets to authenticate to the remote database, enumerate synced notes, modify or delete data, and potentially pivot into related infrastructure.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The LiveSync configuration example includes reusable production credentials embedded in JSON and iOS setup instructions. Because these are sufficient to connect to the remote CouchDB instance, an attacker could configure their own client and gain persistent access to synchronized workspace memory and notes across devices.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The troubleshooting section provides copy-paste authenticated curl commands using exposed admin credentials, making exploitation easier and more reliable. This lowers the barrier for misuse by showing exact access patterns, endpoints, and validation commands for the live service.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This document exposes live remote-access details, including a VNC endpoint, a VNC password, and a username/password pair in plain text. Anyone who can read this file may gain direct access to the host or reuse the credentials elsewhere, making this an immediate compromise risk rather than a theoretical privacy concern.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The summary describes a remote CouchDB backend and real-time synchronization to external devices without discussing data classification, access controls, or user privacy implications. In this context, the synced content appears to include notes and operational memory, so documenting the setup without safeguards normalizes potentially unsafe data exposure practices.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The markdown discloses active credentials and direct access details without a strong warning, redaction, or containment, which is unsafe regardless of whether the file is intended as architecture documentation. In this context, the issue is especially severe because the secrets appear to be valid production admin credentials for a reachable external service.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The description emphasizes syncing workspace memory to Obsidian, CouchDB, and mobile devices but does not clearly warn that potentially sensitive internal memory is replicated to external systems and personal devices. This increases the chance of accidental oversharing, broader data exposure, and policy violations if users do not understand the replication boundary.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documented Hammerspoon configuration starts an unauthenticated local HTTP server that exposes endpoints for mouse clicks, keystroke injection, and alert display. Because Hammerspoon is granted Accessibility permissions, any local process able to reach localhost:9090 can drive the user's UI, trigger privileged dialogs, and enter text into arbitrary applications, creating a powerful local privilege/abuse primitive.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions tell users to remove the app quarantine attribute and click through Gatekeeper prompts without warning that these steps bypass macOS trust checks. This reduces user visibility into provenance and integrity, making it easier to run a tampered or untrusted app with Accessibility privileges.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script uploads note content and descriptions from the local Obsidian vault to an external Ensue API via ensue-api.sh without any user confirmation, dry-run mode, or clear disclosure at the point of transmission. Because notes may contain sensitive personal or operational data, this creates a real confidentiality risk if a user runs the sync assuming it is purely local or does not realize which files are marked for export.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script writes generated Markdown directly into the user's Obsidian vault and overwrites existing files when Ensue content is newer or present, with no backup, prompt, or conflict handling. In a notes workspace, this can silently alter or replace user-authored content, causing integrity loss and potential destruction of local knowledge if keys or filenames collide or remote data is incorrect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script forwards arbitrary JSON arguments to a third-party API endpoint without any inline disclosure, gating, or confirmation. In an agent-skill context, this can cause sensitive prompts, memory contents, or user data to be transmitted off-host without the user's informed consent, which is a real privacy and data-handling risk even if the behavior is intentional.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script silently retrieves API credentials from the environment and then falls back to the macOS keychain, which means the skill can access authentication material without a clear user prompt at runtime. In a skill ecosystem, undisclosed credential access increases the risk of unintended account use and makes it easier for higher-level workflows to call external services under the user's identity without transparency.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The wrapper exposes a delete operation that can remove remote memories with no confirmation, dry-run mode, or safeguard against accidental invocation. In an agent setting where method names and JSON arguments may be composed automatically, lack of friction around destructive actions materially increases the chance of unintended data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill schedules unattended updates that will modify the Clawdbot installation and all installed skills, but the description does not clearly warn users that software and skill files will be changed automatically on a recurring basis. This is dangerous because users may enable it without understanding that future registry or package changes will be applied without review, increasing supply-chain and stability risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to run authentication and publishing commands against a remote service, but provides no warning that login may store or transmit credentials and that publish will upload local skill contents to an external registry. In a skill-installation context, that omission can lead users to disclose sensitive code or secrets from the referenced folder without realizing the trust and data-exfiltration implications.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The examples include `update --all --no-input --force`, which performs bulk, non-interactive, forced updates of installed skills without any caution about overwriting local changes or pulling unreviewed remote content. In this context, the skill is specifically designed to fetch and upgrade executable agent skills, so encouraging unattended forced updates increases the chance of supply-chain compromise, breakage, or irreversible local changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes tracking a shared contact with street-level accuracy and returning screenshots/addresses, but provides no meaningful privacy warning, consent guidance, retention limits, or anti-stalking safeguards. In this skill context, the core capability is location surveillance of a real person, so the absence of safety boundaries materially increases the risk of misuse for stalking, coercive control, or other privacy abuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to grant Accessibility and Screen Recording permissions, which are highly sensitive macOS privileges that can expose on-screen data and enable broad UI interaction, yet it does not warn about their security implications. In a skill that automates reading a person's live location from Find My, these permissions amplify the privacy risk and potential blast radius if the tool or surrounding environment is misused or compromised.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill is explicitly designed to track a shared contact's live location with street-level accuracy, capture screenshots, and infer contextual labels like home/work/out, yet it provides no meaningful privacy warning, consent guidance, retention limits, or abuse-prevention language. In this context, the missing warning is security-relevant because the skill facilitates highly sensitive surveillance of another person and normalizes collection of precise whereabouts data.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill opens Find My, selects a shared contact, extracts location-related data, and captures a screenshot to /tmp without any user-facing notice or consent flow. In this context, the code is explicitly designed to track a person's location and persist sensitive visual data, which materially increases privacy and surveillance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill reads identity information from USER.md to infer a target name without any visible disclosure or permission check. Silent ingestion of personal identity data is a privacy issue, especially because it feeds a location-tracking workflow and may cause the tool to target someone implicitly rather than through explicit user selection.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documents and repeatedly exemplifies use of the Last.fm API over plain HTTP, which exposes the user's Last.fm username and API key to interception or modification by any party on the network path. Because this skill is specifically about personal listening history, the transmitted identifier also reveals privacy-sensitive behavioral data and enables tampering or surveillance of requests.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase "remember" is broad enough to match ordinary conversation, which can cause the skill to activate in contexts where the user did not intend to store or manage knowledge. In this skill, unintended activation is more concerning because it interfaces with a persistent knowledge base and could lead to accidental drafting, retrieval, or saving of user content if downstream confirmation safeguards are bypassed or inconsistently implemented.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal