spoti-cli

SUSPICIOUS. The skill's capabilities mostly match its stated playlist purpose, including optional journal-based mood inference, but it relies on an externally installed `spoti-cli` whose publisher/source provenance was not verified. The main risk is supply-chain trust and credential forwarding to that CLI; data flow to Spotify is otherwise proportionate and uses official Spotify developer setup.