spotify
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill metadata specifies the installation of
shpotifyvia Homebrew (brew install shpotify). While the package itself is a known tool, the skill is hosted by an untrusted owner (2mawi2) and links to an untrusted GitHub repository (clawdbot/skills), presenting a supply chain risk. - [COMMAND_EXECUTION] (LOW): The skill utilizes
osascript(AppleScript) and thespotifyCLI binary to perform actions on the local system. These are standard tools for macOS automation but serve as the execution vector for potential injections. - [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to the unsafe processing of external data.
- Ingestion points: The skill workflow (File: SKILL.md) explicitly directs the agent to search the web for Spotify IDs and extract them for use in commands.
- Boundary markers: Absent. There are no delimiters or instructions to treat the web-sourced IDs as untrusted data.
- Capability inventory: The skill uses
osascript -eto execute shell-wrapped commands (File: SKILL.md). - Sanitization: Absent. There is no validation of the track IDs before they are interpolated into the command string.
- Vulnerability: A malicious website could provide a crafted ID containing shell metacharacters (e.g.,
\"; [malicious_code]; #) that escapes the AppleScript string and executes arbitrary shell commands on the host.
Recommendations
- AI detected serious security threats
Audit Metadata