Is maddydci45-svg/sonos safe?

https://github.com/openclaw/skills/tree/main/skills/maddydci45-svg/sonos

94
SAFE

This skill is a documentation wrapper for the sonoscli tool that provides Sonos speaker control functionality. The main security concern is the automatic installation of an external Go binary from GitHub, though this is transparently declared and from a reputable source.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (2)

MEDIUM Automatic external binary installation -25

The skill declares a dependency that would automatically download and install a Go binary from github.com/steipete/sonoscli when activated. While transparently declared in metadata, this represents automatic execution of external code.

LOW External dependency concerns -15

The skill relies entirely on an external Go binary for its functionality, creating a dependency chain that could be compromised. However, the dependency is from a known developer and clearly documented.