Back to skill

Security audit

Spotify Playlist Curator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Spotify playlist assistant with expected Spotify account access and local personalization, but its saved tokens and taste profile should be treated as sensitive.

Install only if you are comfortable granting Spotify permissions that can read private playlists and listening history, queue playback, and create or modify playlists. Keep .env, spotify_tokens.json, and taste_profile.json out of shared or backed-up folders, consider using SPOTIFY_TOKENS_PATH for a private location, and review or delete saved taste notes if you do not want preferences retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description says it operates using the Spotify Web API, but this file adds a separate third-party ReccoBeats backend for recommendations and audio features. That means user-derived listening data, track IDs, artist searches, and recommendation seeds may be transmitted to an undeclared external service, creating a privacy, compliance, and trust-boundary issue even if no obviously malicious behavior is present.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI maintains a local taste profile, including excluded/favorite artists, genres, and arbitrary free-text notes, which extends beyond the manifest’s stated Spotify playlist/listening operations. This creates undeclared collection and persistence of user preference data, increasing privacy risk and expanding the skill’s data-handling scope without clear disclosure or consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill sends track identifiers to ReccoBeats for audio-feature lookup even though the manifest only describes Spotify Web API usage. Undisclosed third-party data sharing is a privacy and trust issue because it broadens the set of external services receiving user-related listening inputs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The client enriches Spotify-derived data using third-party services (ReccoBeats and later MusicBrainz elsewhere in the file), which expands data exposure beyond the skill's declared Spotify Web API behavior. Even if only track IDs, artist names, or audio-feature queries are sent, this is a real privacy/transparency issue because user-derived listening context can be transmitted to external services without explicit disclosure or consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill explicitly persists user preference data to a local JSON file across sessions, which expands behavior beyond transient Spotify playlist operations into local state retention. Even if the data appears low sensitivity, storing cross-session preference notes and artist exclusions creates an undisclosed persistence channel that can retain personal preference data longer than expected and be repurposed by other code in the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The implementation loads and saves a reusable taste profile from disk on every run, enabling cross-session accumulation of behavioral data not inherent to one-shot playlist generation. In the context of a Spotify playlist curator, this broadens the skill from API-driven playlist actions into local profiling, which increases privacy risk and creates a hidden memory mechanism that may influence future outputs without clear disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises playlist modification and persistent taste-memory behavior without clearly warning users that the skill can change Spotify playlists, queue tracks, and retain preference data across sessions. In an agentic context, that omission matters because users may authorize the skill without understanding that it can perform state-changing actions and store behavioral/profile data, increasing the chance of unintended account changes or privacy surprises.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to save taste preferences so they persist across sessions, but the top-level description does not warn users that preference data will be stored locally. This is a privacy vulnerability because users may disclose dislikes, favorites, or personal notes without realizing those preferences will be retained and reused later.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes Spotify access and refresh tokens to disk in plaintext without warning the user beforehand or enforcing restrictive file permissions. In an agent skill context, locally persisted OAuth tokens can allow later unauthorized API access to the user's Spotify account if the file is exposed through other local compromise, backups, logs, or shared directories.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Taste profile update commands write user preference data immediately, with no warning that the data will be persisted locally. Because the stored content includes free-text notes, users may unintentionally save sensitive personal information, creating avoidable privacy and retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill can automatically create playlists derived from recently played or top tracks, which uses personal listening-history data to generate and write new Spotify objects without any explicit warning about that derivation. While aligned with the product domain, this still implicates privacy expectations because it materializes behavioral data into persistent artifacts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
OAuth tokens are persisted to disk in a predictable JSON file without any visible warning, permission hardening, or secure storage mechanism. If the host environment is shared, compromised, or backs up workspace files broadly, these tokens can be reused to access or modify the user's Spotify account within the granted scopes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
spotipy
requests
Confidence
95% confidence
Finding
spotipy

Unpinned Dependencies

Low
Category
Supply Chain
Content
spotipy
requests
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: spotipy — 3 advisory(ies): CVE-2025-27154 (Spotipy's cache file, containing spotify auth token, is created with overly broa); CVE-2023-23608 (Path traversal in spotipy); CVE-2025-66040 (Spotipy has a XSS vulnerability in its OAuth callback server)

High
Category
Supply Chain
Confidence
98% confidence
Finding
spotipy

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/spotify_auth.py:28

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/spotify_client.py:161