ClawHub

Yandex Music

Security checks across malware telemetry and agentic risk

Overview

This Yandex Music helper is disclosed and purpose-aligned, but users should treat it as a tokened account integration that can save credentials locally and change liked tracks when asked.

Install only if you are comfortable giving the skill a Yandex Music OAuth token. Prefer YM_TOKEN for temporary use, use auth-set only when you want local persistence, clear the token when finished, and confirm the target track before using like or unlike.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill exposes significant capabilities (environment access, file read/write, network, and shell) while declaring no permissions, which reduces transparency and prevents effective policy enforcement or user review. In this skill, those capabilities are used to manage tokens, create a virtualenv, install packages, and access remote Yandex services, so the undeclared access meaningfully expands what the skill can do beyond what a reviewer may expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description presents the skill as an inspection helper, but the documented behavior includes account mutations (`like`/`unlike`) and a direct websocket probe outside the stated library path. That mismatch can mislead users or downstream agents into granting trust to a tool they believe is read-only, when it can change account state and perform additional network interactions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
A skill framed as inspection/search-oriented should not quietly include commands that alter a user's account state. Even limited mutations like adding or removing likes can cause unauthorized account changes, especially if invoked by an automated agent that assumes the skill is non-destructive.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The behavior rules explicitly claim the skill is 'read/search oriented,' yet the same section documents write actions. This contradiction is dangerous because agents and users often rely on behavior rules as the safest summary of allowed actions, increasing the chance of accidental unauthorized modifications to the user's Yandex Music account.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill description frames the tool as an inspection/helper for Yandex Music, but the code also performs state-changing actions by adding and removing likes. That mismatch can lead users or calling agents to authorize and invoke the skill expecting read-only behavior, causing unintended account modification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists the OAuth token to a local JSON config file automatically when auth-set is used, without any warning about credential storage or retention. Even though file permissions are restricted to 0600, storing bearer tokens on disk increases exposure to local compromise, backups, shell history mistakes, or accidental reuse by other tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal