Artist Research

Security checks across malware telemetry and agentic risk

Overview

This artist-research skill is mostly aligned with its purpose, but it depends on undeclared Spotify auth code and credentials from a sibling local project, so users should review it before running.

Install only if you are comfortable reviewing the external ../../spotify-songs-to-notion auth code and .env it uses. Prefer a dedicated Spotify app with minimal read-only permissions, avoid granting playlist/library/player scopes for artist research, and confirm where reports or JSON files will be saved before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill is for artist research, but it documents authenticated user endpoints and write-capable operations such as playlist creation, library modification, and player control that are unrelated to the stated purpose. Including these capabilities expands the accessible attack surface and creates a path for privilege misuse if an agent or future script implementation starts invoking them under the guise of research.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill instructs saving generated reports to disk but does not warn the user that their queries and derived analysis will be persisted locally. This can lead to unintended retention of potentially sensitive business research, artist evaluations, or personal investigation history, especially in shared or synced environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal