Back to skill

Security audit

Bumblebee

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Spotify music-control skill, but it asks for more Spotify account authority than its visible features need and keeps long-lived Spotify credentials in local files.

Install only if you are comfortable letting an agent control Spotify playback and read listening context. Before use, reduce OAuth scopes where possible, avoid playlist/library modification scopes unless you truly need them, keep .env and tokens.json private, and revoke the Spotify app authorization if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup requests broad Spotify OAuth scopes including library modification and playlist modification, which exceed the stated core purpose of playback control and contextual curation. Over-scoped OAuth grants violate least privilege and increase the blast radius if the skill, its storage, or tokens are compromised, allowing unintended changes to the user's library and playlists.

Description-Behavior Mismatch

Low
Confidence
77% confidence
Finding
The documentation says the skill may create playlists even though the higher-level description emphasizes playback control and queue curation. This mismatch can mislead users about the privileges they are granting and supports the broader over-permissioning issue by normalizing capabilities that were not clearly disclosed up front.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrase "Play music" is extremely broad and likely to overlap with ordinary conversation, making accidental invocation plausible in natural interactions. In a skill that can immediately control Spotify playback and queue tracks on an active device, ambiguous invocation increases the risk of unintended device actions and surprise media playback.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Telling users to "just talk to your agent" encourages open-ended triggering without defining clear activation rules, which can cause the skill to respond to incidental or ambiguous speech. Because this skill can perform playback and queuing actions, the lack of boundaries increases the chance of unintended execution in normal conversation.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README states that the skill uses time of day, recent listening history, and current vibe to curate music, but it does not clearly warn users that personal listening history and contextual signals are being accessed. This creates a transparency and privacy-consent issue, especially because users may not realize behavioral data is involved in recommendation decisions.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The README explains that the skill automatically queues tracks and plays clips on the user's active Spotify device, but it does not prominently warn that installation and use can affect a live device immediately. This can lead to unexpected playback, queue manipulation, or interruption on speakers, computers, or shared environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup guide instructs users to handle client secrets, authorization codes, refresh tokens, and access tokens directly, and to store them in local files, but it does not warn about protecting these secrets from logs, screenshots, shell history, backups, or accidental sharing. Because the refresh token is described as effectively long-lived, compromise of these values can grant ongoing access to Spotify account data and playback/library actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description advertises activation for generic requests like 'play music', 'what should I listen to', and broad playback control, which creates an overly wide trigger surface. In an agent environment, that can cause the skill to be invoked for routine requests without the user understanding that contextual data, Spotify state, or local tokens may be used.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The agent guidance directly maps broad phrases such as 'Play music' or mood statements to automatic command execution (`r2-dj.js vibe`, `play`) without clear consent or boundary checks. This raises the risk of unintended activation and action on a user's Spotify account or active device based on ambiguous natural-language input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description says it uses time, mood, and recent listening to 'read the moment,' but it does not warn that recent listening history is privacy-sensitive behavioral data. Users may not realize that a simple music request could cause the agent to inspect personal listening patterns and infer habits or emotional state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prerequisites instruct the operator to keep OAuth tokens and Spotify client secrets in local project files, but there is no warning about secret handling, file permissions, logging, or accidental disclosure. Because these credentials can authorize account access and playback control, poor handling could lead to account compromise or unauthorized API use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The prompt 'Build me a Bumblebee lyric index from my top 50 Spotify tracks' encourages broad autonomous action across a user's Spotify library and external lyrics sources without defining boundaries, approval checkpoints, or data minimization. In this skill context, that can lead to unnecessary collection of listening-history data and transmission of track/library information to third-party lyrics services, which increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell users the agent can pull their Spotify library and search external lyrics APIs, but they do not warn that this involves accessing personal listening data and sharing song metadata with outside services. Because this skill is explicitly designed around Spotify account access and third-party lyric retrieval, the missing disclosure makes inadvertent privacy exposure more likely and weakens informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill can immediately issue Spotify playback commands that affect the user's active device without any explicit confirmation, dry-run, or warning at the point of execution. In an agent setting, this creates an unsafe actuation path where a prompt or tool invocation could unexpectedly start or change playback on the user's account and devices.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Spotify track search is hard-coded to market=MX, which forces a locale choice without user consent and can alter what content is found or played. This is primarily a policy and user-expectation issue rather than a direct security compromise, but in a music-control skill it can cause unintended playback behavior and confuse users about account-region behavior.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The script hard-codes the locale/timezone to en-US and America/Chicago when deriving listening context and formatting output. In a music curation skill, this can silently infer the wrong time-of-day context for users in other regions, causing incorrect behavioral decisions and leaking an implicit assumption about user location without consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.