spotify-player
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs the agent to install tools from a personal Homebrew tap (
steipete/tap). This source is not among the verified trusted organizations, posing a risk of supply chain compromise or unverified binary execution. - [COMMAND_EXECUTION] (MEDIUM): The skill provides instructions for the command
spogo auth import --browser chrome. This command accesses sensitive browser data (cookies) to facilitate authentication. While a functional feature of the tool, it involves high-risk access to user credentials. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted metadata from Spotify's external API results.
- Ingestion points: Spotify search results (track names, artist names, etc.).
- Boundary markers: Absent. The skill does not define specific delimiters for API-returned text.
- Capability inventory: The skill executes shell commands via
spogoandspotify_playerbinaries. - Sanitization: Absent. There is no evidence of filtering or escaping logic for data returned from the Spotify API before it is handled by the agent.
Audit Metadata