Back to skill

Security audit

win-music-skill

Security checks across malware telemetry and agentic risk

Overview

This is a small Windows music-control skill that sends fixed media hotkeys, with no evidence of hidden data access, persistence, or destructive behavior.

Install this only if you want an agent to control music playback on a Windows machine. Verify NirCmd comes from a source you trust, and confirm the listed Ctrl+Alt shortcuts are appropriate for your media setup because global hotkeys may be handled by other applications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance is overly broad ('需要播放音乐的时候'), which can cause an agent to invoke this skill in loosely related contexts without clear user confirmation. Because the skill issues local system commands that send media-control keypresses, ambiguous triggering increases the risk of unintended command execution on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs execution of local shell commands via `nircmd sendkeypress` but does not warn that it will control the host system's media session by simulating keystrokes. This lack of transparency can lead to unexpected local actions, especially if invoked automatically or in the wrong context, and simulated keypresses may affect whichever application currently receives those shortcuts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.