Trust Assessment
apple-music received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Command Injection via osascript, Unpinned Dependency in Supply Chain, Private Key Access for API Authentication.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via osascript The skill explicitly uses `osascript` commands executed via `bash` to interact with the Apple Music application. This is a direct command execution vector. While the document provides a Python function `escape_applescript` to mitigate string injection, the underlying mechanism relies on executing arbitrary AppleScript code on the host system. If user-provided input is not perfectly sanitized before being passed to `osascript`, it could lead to arbitrary command execution on the macOS system where the agent is running. Ensure all user-provided input passed to `osascript` commands is rigorously sanitized using the provided `escape_applescript` function or an equivalent robust escaping mechanism. Consider implementing stricter input validation to limit the complexity of user input that can be passed to AppleScript. If possible, explore sandboxed execution environments for `osascript` calls. | LLM | SKILL.md:50 | |
| MEDIUM | Unpinned Dependency in Supply Chain The installation instructions for `mcp-applemusic` recommend `git clone` followed by `pip install -e .`. This introduces a direct dependency on an external Git repository without specifying a version (e.g., commit hash or release tag). This means future installations could pull different or potentially malicious code if the upstream repository is compromised or changes unexpectedly. The use of `-e .` (editable install) further means any local changes in the cloned directory are immediately active. Pin the `mcp-applemusic` dependency to a specific, known-good commit hash or release tag to ensure deterministic installations. For example, `git clone -b <tag_or_hash> ...` or specify the version in a `requirements.txt` file. Avoid editable installs (`-e .`) in production environments unless strictly necessary and managed carefully. | LLM | SKILL.md:326 | |
| MEDIUM | Private Key Access for API Authentication The MusicKit API authentication process requires reading a private key file (`AuthKey_XXXXXXXXXX.p8`) from disk to generate a developer token. While this is a standard practice for MusicKit, it means the skill's execution environment must have direct access to this sensitive file. If the skill's environment or the skill itself is compromised, this private key could be exfiltrated, potentially allowing an attacker to impersonate the developer account for Apple Music API access. Implement secure storage and access controls for the `.p8` private key file, ensuring it is not directly accessible by unauthorized processes or users. Consider using environment variables or a secure secrets management service to provide the private key content to the skill at runtime, rather than reading it from a file in a potentially exposed skill directory. Ensure the generated JWTs are handled securely and not logged or exposed. | LLM | SKILL.md:198 |
Scan History
Embed Code
[](https://skillshield.io/report/81f5597591a3c397)
Powered by SkillShield