Bumblebee + R2-DJ Security Report — Trusted | ClawSafe

5 /100

Bumblebee + R2-DJ

AI music agent that communicates through Spotify lyric clips and curates contextual playlists based on time and mood

Legitimate Spotify music playback and lyric-curation skill with transparent, well-documented functionality and no malicious indicators.

Skill NameBumblebee + R2-DJ

Duration31.7s

Enginepi

✓

Safe to install

Approve for deployment. The skill performs standard Spotify API integration for music playback control with no hidden or suspicious behavior.

Findings 1 items

Severity	Finding	Location
Low	Implicit filesystem read access The skill reads lyric-index.json, lyrics-db.json, tokens.json, and .env files, but SKILL.md does not explicitly declare filesystem:READ. These are documented in SETUP.md and are standard for a Node.js-based music skill. `fs.readFileSync(INDEX_FILE, 'utf8')` → Add filesystem:READ to declared capabilities in SKILL.md for completeness	`scripts/lyric-engine.js:54`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/lyric-engine.js:54 - loadIndex() reads lyric-index.json
Network	`NONE`	`READ`	✓ Aligned	scripts/lyric-engine.js:21 - lrcSearch() calls lrclib.net; scripts/bumblebee.js:…
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found

4 findings

🔗

Medium External URL 外部 URL

https://swats.ai

README.md:77

🔗

Medium External URL 外部 URL

https://developer.spotify.com/dashboard

SETUP.md:11

🔗

Medium External URL 外部 URL

https://accounts.spotify.com/authorize?client_id=$

SETUP.md:56

🔗

Medium External URL 外部 URL

https://accounts.spotify.com/api/token

SETUP.md:71

File Tree

8 files · 71.8 KB · 2169 lines

JavaScript 3f · 1616L Markdown 5f · 553L

├─ ▾ 📁 references

│ └─ 📝 song-library.md Markdown 65L · 2.6 KB

├─ ▾ 📁 scripts

│ ├─ 📝 build-lyric-index.md Markdown 76L · 2.2 KB

│ ├─ 📜 bumblebee.js JavaScript 291L · 8.5 KB

│ ├─ 📜 lyric-engine.js JavaScript 586L · 18.3 KB

│ └─ 📜 r2-dj.js JavaScript 739L · 23.7 KB

├─ 📝 README.md Markdown 77L · 2.5 KB

├─ 📝 SETUP.md Markdown 147L · 5.1 KB

└─ 📝 SKILL.md Markdown 188L · 9.0 KB

Security Positives

✓ No shell execution or subprocess calls anywhere in the codebase

✓ All network requests go to legitimate, documented endpoints (api.spotify.com, accounts.spotify.com, lrclib.net)

✓ No credential harvesting or exfiltration - OAuth tokens are stored locally and used only for Spotify API

✓ No base64 encoding/decoding, eval(), or dynamic code execution

✓ No attempts to access sensitive system paths (~/.ssh, ~/.aws, /etc/passwd)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ Well-structured Node.js code with clear, documented functionality

✓ All file operations are restricted to the skill's data directory and the configured Spotify project path

Scan Report

Findings 1 items

File Tree

Security Positives