Security audit

Clawtunes Play

Security checks across malware telemetry and agentic risk

Overview

The playback features are mostly disclosed, but the package also includes an under-documented script that can create playlists and change the user's Music library.

Review before installing. The advertised playback workflow is reasonable for a macOS Apple Music helper, but only install if you are comfortable granting Accessibility/Automation permission and sending catalog searches to Apple. If you only want playback, remove or avoid scripts/playlist_create.py because it can create playlists and alter your Music library.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill explicitly relies on shell-capable local commands (`clawtunes`, `python3`, `osascript`, `open`) and online catalog access, yet the metadata shown in SKILL.md does not declare corresponding permissions or capabilities. That mismatch weakens reviewability and consent boundaries: a caller may believe this is a simple playback skill while it can drive shell commands, networked catalog lookups, and UI automation on the host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: A description-behavior mismatch is a real security concern because users and orchestrators may authorize the skill for playback while the implementation can also modify user state, such as creating playlists, adding tracks, or importing catalog items into the library. In a macOS environment with Music automation enabled, these extra write actions can alter personal data and account state beyond the user's reasonable expectation.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill description says it is for playing Apple Music, but this script creates playlists, adds songs to the user's library, and duplicates tracks into playlists. That capability expansion is dangerous because an agent invoked for playback could silently perform persistent modifications to the user's Music account and local library beyond the user's likely expectations.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This code implements playlist management despite the skill being framed as a play-only tool. In an agent setting, hidden write capabilities increase the risk of unauthorized or confusing changes to user data because users may consent to playback but not to persistent curation or account/library updates.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The script silently performs a network lookup against Apple's search API and then drives the local Music app via AppleScript keystrokes. In an agent-skill context, undisclosed external requests and GUI automation can surprise users, trigger privacy concerns, and cause unintended actions on the local desktop, especially because focus-stealing keystroke automation is fragile and context-dependent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script sends the user-provided search query to Apple's public iTunes Search API, which can expose sensitive user intent, media interests, or personal terms to a third party without any notice or consent mechanism in the code. In an agent setting, users may assume the action is local to Apple Music, so silent remote lookup increases privacy risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code opens a Music URL and can then drive the GUI by sending synthetic keypresses through osascript/System Events, which causes real actions in the foreground application without an explicit confirmation step. This is dangerous in an automation skill because focus can shift, accessibility permissions may already be granted, and simulated input can trigger unintended playback or UI actions on the user's machine.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script creates playlists and modifies the Music library through AppleScript and UI automation without any explicit warning or confirmation. In an agent environment this is risky because it enables silent, persistent changes to user content and may trigger unintended account or library modifications from ambiguous requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal