pp-spotify
Warn
Audited by Socket on May 19, 2026
1 alert found:
SecuritySecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
SUSPICIOUS: the skill’s Spotify functionality is coherent, but its trust boundary is not. It asks the agent to install and rely on an external `spotify-pp-cli` binary whose provenance is not verified in the provided material, then pass Spotify credentials/tokens to it. The CLI also supports arbitrary webhook delivery, expanding exfiltration risk beyond what is necessary for a normal Spotify integration.
Confidence: 84%Severity: 83%
Audit Metadata