Back to skill

Security audit

Home Music Enhanced

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local music-control skill for Spotify and Airfoil, with nuisance risk from broad voice-style triggers but no evidence of hidden or malicious behavior.

Install only if you want a local command that can immediately play, pause, route, and change volume on your speakers. Before using it, update the hard-coded Spotify helper path and speaker names for your machine, and consider using explicit commands like home-music party instead of broad voice phrases. Only create the sudo symlink if you want the command available globally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad, everyday language such as 'party mode,' 'chill music,' and 'stop music,' which increases the chance of accidental activation by normal conversation or unrelated requests. In this skill's context, unintended activation could start loud playback across multiple household speakers or stop music unexpectedly, causing privacy and nuisance issues in a real home environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example voice invocations use very natural phrasing like 'Hey, start party mode' and 'Stop the music,' which can train users or upstream agents to invoke the skill with ambiguous language. That ambiguity raises the risk of misrouting user intent to this skill instead of a safer or more specific built-in media control path, leading to unintended whole-house playback changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.