Home Music

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed local macOS music-control helper, with the main risk being accidental or disruptive speaker playback from broad voice-style triggers.

Install only on a Mac where you intentionally use Spotify Desktop and Airfoil. Review the speaker names, playlist URIs, and spotify-applescript path before use, and prefer explicit commands such as home-music party or home-music off for louder or whole-house actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad everyday-language terms such as 'party mode', 'chill music', and 'stop music', which can cause accidental invocation in normal conversation or unrelated workflows. Because the skill can start playback, change volumes, and route audio to multiple speakers, unintended activation could disrupt the environment or expose audio activity throughout the house.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The natural-language examples like 'Hey, start party mode' and 'Put on some chill music' encourage ambiguous phrasing that may overlap with other assistants or routine speech. In a voice-driven environment, that ambiguity raises the chance of accidental execution of speaker-routing and playback actions without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal