Back to skill

Security audit

Roon Controller

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Roon controller that saves a local token so it can reconnect, with only ordinary credential-storage and dependency hygiene caveats.

Install this only if you want the agent to control your Roon playback. Keep ~/clawd/roon_config.json private because it contains a Roon authorization token; consider setting user-only permissions on that file and revoke the extension in Roon if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists the Roon authorization token in a plaintext JSON file under the user's home directory without setting restrictive permissions or warning the user. If another local user, process, backup system, or malware can read that file, the token could be reused to control the user's Roon Core and access associated playback metadata.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Roon Control Skill Dependencies
roonapi>=0.1.6
Confidence
95% confidence
Finding
roonapi>=0.1.6

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.