ClawHub

Spotify Player

Security checks across malware telemetry and agentic risk

Overview

This Spotify helper is purpose-aligned and clearly discloses that it stores Spotify session cookies locally, but users should protect those cookies like passwords.

Install only if you are comfortable giving the agent Spotify playback control. Keep sp_dc and sp_t private, set restrictive permissions on ~/.config/spogo and the cookie file, remove the cookies when you stop using the skill, and consider pinning or reviewing the upstream spogo version before running the install command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Session Persistence

Medium
Category
Rogue Agent
Content
- `sp_dc` - Main auth token (long string, required)
- `sp_t` - Device ID (UUID format, required for playback)

### 2. Create config

Create `~/.config/spogo/config.toml`:
```toml
Confidence
92% confidence
Finding
Create config Create `~/.config/spogo/config.toml`: ```toml default_profile = "default" [profile.default] cookie_path = "~/.config/spogo/cookies/default.json" market = "IL" language = "en" ``` ###

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal