ClawHub

Apple Music Play

Security checks across malware telemetry and agentic risk

Overview

The Apple Music playback behavior is mostly disclosed, but the package also contains under-documented code that can create playlists and change the user's Music library.

Install only if you are comfortable granting macOS Accessibility/Automation permission and having Apple Music search terms sent to Apple. Review or remove scripts/playlist_create.py if you only want playback, because it can create playlists and modify the Music library.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough to trigger on very common requests like playing a song, artist, album, or mood, which increases the chance of over-invocation. That can cause the agent to launch Apple Music and perform UI automation in situations where the user did not clearly intend this specific skill, creating unwanted side effects and reducing user control.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill relies on macOS Accessibility and System Events to send keyboard input to the Music app, but it does not clearly warn that UI automation may affect the active interface and depends on focus/state. If invoked unexpectedly or while the UI is in an unexpected state, synthetic keystrokes could trigger unintended actions in Music or another focused application.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function sends the raw user query to Apple's iTunes Search API over the network without any disclosure, consent, or minimization. In an agent skill context, search terms can contain sensitive user interests or private data, so silent exfiltration to a third party creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code uses osascript/System Events to activate the Music app and simulate key presses that can trigger playback and UI actions without an explicit user-facing confirmation. In an agent environment, UI automation is risky because focus may shift and synthetic keystrokes can affect unintended windows or cause actions the user did not authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script opens a Music URL and then programmatically sends keypresses to the active UI without any user confirmation or clear disclosure. In an agent skill context, simulated keystrokes can trigger unintended playback or interact with UI state in ways the user did not authorize, especially because System Events automation is being used.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends the user's search query to Apple's iTunes search endpoint with no visible disclosure or consent flow. While the destination is a legitimate service and the data sent is limited to the query string, this still exposes user input externally and may leak sensitive searches in an agent environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script creates playlists, opens Music URLs, and automates keystrokes to add tracks to the user's library without any explicit confirmation or dry-run mode. In an agent or automation context, this can cause unauthorized modification of a user's media library and trigger unintended application actions on the host system.

Missing User Warnings

Low
Confidence
83% confidence
Finding
User-supplied queries are sent to Apple's iTunes Search API, which exposes user input to a third party without any notice in the script. While this is expected for a music catalog lookup, lack of disclosure can create privacy issues in an agent setting where users may not realize their queries leave the local machine.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal