2 medium findings.

This skill ships without a capability manifest plus 1 other issue listed below.

0 critical0 high2 medium10 rules passed

Why grade A?

score · 95 / 100

The current grade reflects 2 minor findings below all thresholds.

0 CRIT0 HIGH2 MED0 LOW

Already at the top grade — no further rules to pass.

Findings · ordered by severity

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

med

Link text shows "com.apple.developer.sensorkit.reader.allow" but points at sosumi.ai

The visible link text contains the domain `com.apple.developer.sensorkit.reader.allow`, but the URL actually targets `sosumi.ai`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 498CWE-601

▾

496- [SRFetchRequest](https://sosumi.ai/documentation/sensorkit/srfetchrequest)

497- [Configuring your project for sensor reading](https://sosumi.ai/documentation/sensorkit/configuring-your-project-for-sensor-reading)

498- [com.apple.developer.sensorkit.reader.allow](https://sosumi.ai/documentation/bundleresources/entitlements/com.apple.developer.sensorkit.reader.allow)← text→com.apple.developer.sensorkit.reader.allow · href→sosumi.ai

499

Scan another →Share

skillox.io/r/crawl-dqgqvhlknl7skpk8ruxso7u6