spotify
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill ingests untrusted external data from the Spotify API, such as track titles, artist names, and playlist descriptions. An attacker could craft malicious metadata in a shared playlist to influence the agent's behavior.
- Ingestion Points:
searchSpotify,getNowPlaying,getMyPlaylists, andgetPlaylistTracksall return strings from the Spotify catalog or user library. - Boundary Markers: None. The skill does not define delimiters to separate external content from instructions.
- Capability Inventory: The skill can modify user data via
createPlaylist,addTracksToPlaylist, andsaveOrRemoveAlbumForUser, and control playback viaplayMusic. - Sanitization: None specified; the agent processes raw API responses.
- Unverifiable Dependencies (MEDIUM): The setup instructions refer to a local Node.js project (
spotify-mcp-server) located in a user-specific directory (/Users/alice/...). This external code is not provided for review and originates from an unverified source. - Command Execution (LOW): The skill relies on executing a local
nodeprocess via MCP. While standard for this architecture, it establishes a dependency on the integrity of the local filesystem and theindex.jsscript. - Data Exposure (LOW): The skill configuration contains hardcoded absolute paths (e.g.,
/Users/alice/...) which reveal local system structure and usernames.
Audit Metadata