Trust Assessment
spotify-player received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Third-party Homebrew tap for 'spogo'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Third-party Homebrew tap for 'spogo' The skill's manifest specifies the installation of 'spogo' from 'steipete/tap'. This is a third-party Homebrew tap, which introduces a supply chain risk. If the 'steipete/tap' repository or its maintainer account were compromised, a malicious version of 'spogo' could be distributed to users installing this skill, potentially leading to command injection, data exfiltration, or credential harvesting if the compromised tool is executed. 1. Verify the integrity and trustworthiness of the 'steipete/tap' repository and its maintainer. 2. Consider if 'spogo' can be installed from a more official or widely vetted source. 3. If the third-party tap is necessary, implement additional integrity checks (e.g., checksum verification) for the installed binary if the brew formula supports it, or pin to a specific version/commit if possible. 4. Clearly document the risks associated with installing from a third-party tap for users. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/2885339a0c77c676)
Powered by SkillShield