pp-spotify

Warn

Audited by Socket on May 19, 2026

1 alert found:

Security
SecurityMEDIUM
SKILL.md

SUSPICIOUS: the skill’s Spotify functionality is coherent, but its trust boundary is not. It asks the agent to install and rely on an external `spotify-pp-cli` binary whose provenance is not verified in the provided material, then pass Spotify credentials/tokens to it. The CLI also supports arbitrary webhook delivery, expanding exfiltration risk beyond what is necessary for a normal Spotify integration.

Confidence: 84%Severity: 83%
Audit Metadata
Analyzed At
May 19, 2026, 12:36 AM
Package URL
pkg:socket/skills-sh/mvanhorn%2Fprinting-press-library%2Fpp-spotify%2F@12a735d05abca53d1224e76394f8f8d154204206
Security Audit — socket — pp-spotify