Sonoscli

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Sonos control helper, with expected caution because it can change speaker playback, volume, groups, and queues.

Install this if you trust the upstream Sonos CLI and want an agent to help run Sonos commands. Use explicit speaker names or IP addresses before mutating actions, be careful with volume, party/grouping, and queue clearing in shared spaces, and consider pinning or reviewing the Go module if reproducible installs matter. Only configure Spotify client credentials when you need Spotify search.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill exposes commands that can actively modify Sonos devices on the local network, including playback state, volume, queue contents, and speaker grouping, but the description does not warn users that these are state-changing actions. This can lead to unintended disruptive actions on household or office speakers if a user invokes the skill without understanding its scope, especially in shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal