Sonos Music Search

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward Sonos music search/playback CLI with expected Brave Search API use and no hidden persistence or unrelated access found.

Install only if you are comfortable giving the skill a Brave Search API key, sending music searches to Brave, and allowing it to start playback on a named Sonos speaker. In shared spaces, be aware that it plays the first matched Spotify result without a separate confirmation step.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Hardcoding `safesearch: 'off'` allows explicit or otherwise unsuitable content to be returned and potentially played without user consent, warning, or age-appropriate controls. In a music search-and-play skill connected to household speakers, this increases the chance of unintended playback in shared environments such as homes or offices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal