pp-spotify

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches and installs the core binary using the npx command from the vendor's npm package @mvanhorn/printing-press during the setup phase.
  • [DATA_EXFILTRATION]: Provides a --deliver webhook:<url> flag that allows the agent to POST command output (which may contain user profile information, library details, or listening history) to arbitrary external URLs.
  • [DATA_EXFILTRATION]: Includes a feedback command capable of transmitting data to a remote endpoint if the SPOTIFY_FEEDBACK_ENDPOINT environment variable is configured.
  • [CREDENTIALS_UNSAFE]: Provides instructions for the manual configuration and export of sensitive SPOTIFY_CLIENT_ID and SPOTIFY_SECRET credentials and persists authentication tokens in the local file ~/.config/spotify-pp-cli/token.json.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill ingests untrusted data from the Spotify Web API (such as playlist names, track metadata, and artist descriptions) which could contain instructions designed to influence the agent's behavior.
  • Ingestion points: Processes external content via commands like me get-users-top-tracks, search, and playlists get.
  • Boundary markers: Absent. No instructions are provided to the agent to distinguish between music metadata and operational instructions.
  • Capability inventory: The toolset includes file system writes (--deliver file) and network operations (--deliver webhook), which could be abused if an injection is successful.
  • Sanitization: No sanitization or validation of ingested metadata is mentioned before it is interpolated into subsequent command arguments or agent responses.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 12:34 AM
Security Audit — agent-trust-hub — pp-spotify