spotify-player
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata defines installation steps for third-party CLI tools ('spogo' from 'steipete/tap' and 'spotify_player') using the Homebrew package manager.\n- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute shell commands for playback management, device selection, and authentication importing via the browser.\n- [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection via the search query parameters.\n
- Ingestion points: Search query inputs in
spogo search track "query"andspotify_player search "query"(SKILL.md).\n - Boundary markers: Absent; user-provided data is interpolated directly into commands without delimiters or warnings.\n
- Capability inventory: Shell command execution and network access via CLI tools.\n
- Sanitization: Absent; no input validation or escaping is specified for the search queries.
Audit Metadata