spotify-player
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes terminal-based binaries (spogo and spotify_player) to manage Spotify playback and searching.
- [EXTERNAL_DOWNLOADS]: The skill instructions include installing dependencies from a third-party Homebrew tap (steipete/tap).
- [PROMPT_INJECTION]: The skill incorporates user-provided search terms directly into CLI commands, creating an indirect prompt injection surface. Ingestion points: Spotify search query parameters in SKILL.md. Boundary markers: None identified. Capability inventory: Execution of local CLI tools via shell. Sanitization: No input validation or escaping for the query strings is specified.
- [DATA_EXFILTRATION]: The authentication workflow uses the 'spogo auth import' command to read sensitive session cookies from the Chrome browser profile. While necessary for the tool's functionality, this represents access to high-value session data.
Audit Metadata