spotify
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): Multiple scripts interpolate user-provided arguments directly into AppleScript via Bash heredocs without adequate sanitization, creating a risk of AppleScript injection.
- Evidence in
scripts/play-uri.sh: The variables$URIand$CONTEXTare interpolated into anosascript <<EOFblock. A URI liketrack" & (do shell script "open /Applications/Calculator.app") & "would break out of the AppleScript string and execute arbitrary shell commands. - Evidence in
scripts/search.sh: While the query is URL-encoded for theopen locationcommand, the script still prints the raw$QUERYin the success message, and the encoding logic relies on a system Python call that could be manipulated if the input is not strictly checked. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from the Spotify app (track names, artists, etc.) which are then returned to the agent context.
- Ingestion points:
scripts/get-current-track.shreads metadata from the current track. - Boundary markers: The skill uses
<<>>delimiters to separate fields, which helps with parsing but does not prevent the agent from interpreting instructions embedded in track titles. - Capability inventory: The agent has the
Bashtool and can execute AppleScript, which includes the powerfuldo shell scriptcommand. - Sanitization: There is no evidence of sanitization or escaping of metadata (e.g., song titles) before they are sent back to the agent.
- DATA_EXPOSURE (SAFE): The skill is designed to access Spotify's internal player state and track information. It does not attempt to access sensitive system files like SSH keys or environment variables.
Audit Metadata