Security Audit
sundial-org/awesome-openclaw-skills:skills/apple-music-2
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/apple-music-2 received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned third-party dependency via git clone and pip install -e.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned third-party dependency via git clone and pip install -e The skill's documentation recommends installing the `mcp-applemusic` server directly from a GitHub repository using `git clone` and then `pip install -e .`. This method lacks version pinning, making the skill vulnerable to supply chain attacks. If the upstream repository is compromised or malicious code is introduced, future installations would pull and execute this code without review or integrity checks. The `-e` (editable) flag further exacerbates this by allowing immediate reflection of any changes in the cloned repository. Recommend installing `mcp-applemusic` from a trusted package index (e.g., PyPI) with a pinned version, or if cloning from Git, specify a fixed commit hash. Implement a mechanism to verify the integrity of the downloaded code (e.g., checksums) before execution. Regularly audit third-party dependencies. | LLM | SKILL.md:309 |
Scan History
Embed Code
[](https://skillshield.io/report/aa39e6ff9bf8af1a)
Powered by SkillShield