spotify-player

SUSPICIOUS. The skill’s purpose and capabilities mostly align, but it prefers a third-party CLI from a personal Homebrew tap and instructs importing browser cookies, which is sensitive credential access. No clear evidence of exfiltration to non-Spotify endpoints was found, so this is not confirmed malware, but the install and auth model create meaningful security risk.