Trust Assessment
spogo-linux received a trust score of 12/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Unpinned dependency in installation command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/shaharsha/spotify-linux/SKILL.md:28 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/shaharsha/spotify-linux/SKILL.md:29 | |
| HIGH | Unpinned dependency in installation command The skill's installation command uses `go install github.com/steipete/spogo/cmd/spogo@latest`. Installing the `@latest` version means the specific version of the `spogo` tool is not pinned. This introduces a supply chain risk, as a future installation could pull a different, potentially malicious, version if the upstream repository is compromised or if breaking changes are introduced. Pin the dependency to a specific version or commit hash (e.g., `go install github.com/steipete/spogo/cmd/spogo@v0.2.0`) to ensure deterministic and secure installations. | LLM | SKILL.md:1 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/shaharsha/spotify-linux/SKILL.md:28 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/shaharsha/spotify-linux/SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/742f7226d00388be)
Powered by SkillShield