4 medium findings.

This skill ships without a capability manifest plus 3 other issues listed below.

0 critical0 high4 medium8 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 4 medium findings (3+ MEDs → B).

0 CRIT0 HIGH4 MED0 LOW

To reach a higher grade

A
Reach Atarget score 95
Resolve 2 of 4 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

med

Link text shows "accessorycontroldevice.configuration" but points at sosumi.ai

The visible link text contains the domain `accessorycontroldevice.configuration`, but the URL actually targets `sosumi.ai`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 396CWE-601

▾

394- [AccessoryControlDevice.current(for:)](<https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/current(for:)>)

395- [AccessoryControlDevice.update(_:)](<https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/update(_:)>)

396- [AccessoryControlDevice.Configuration](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/configuration-swift.struct)← text→accessorycontroldevice.configuration · href→sosumi.ai

397- [AccessoryControlDevice.Capabilities](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/capabilities)

398- [AccessoryControlDevice.Placement](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/placement)

med

Link text shows "accessorycontroldevice.capabilities" but points at sosumi.ai

The visible link text contains the domain `accessorycontroldevice.capabilities`, but the URL actually targets `sosumi.ai`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 397CWE-601

▾

395- [AccessoryControlDevice.update(_:)](<https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/update(_:)>)

396- [AccessoryControlDevice.Configuration](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/configuration-swift.struct)

397- [AccessoryControlDevice.Capabilities](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/capabilities)← text→accessorycontroldevice.capabilities · href→sosumi.ai

398- [AccessoryControlDevice.Placement](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/placement)

399- [AccessorySetupKit framework](https://sosumi.ai/documentation/accessorysetupkit) (prerequisite for pairing)

med

Link text shows "accessorycontroldevice.placement" but points at sosumi.ai

The visible link text contains the domain `accessorycontroldevice.placement`, but the URL actually targets `sosumi.ai`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 398CWE-601

▾

396- [AccessoryControlDevice.Configuration](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/configuration-swift.struct)

397- [AccessoryControlDevice.Capabilities](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/capabilities)

398- [AccessoryControlDevice.Placement](https://sosumi.ai/documentation/audioaccessorykit/accessorycontroldevice/placement)← text→accessorycontroldevice.placement · href→sosumi.ai

399- [AccessorySetupKit framework](https://sosumi.ai/documentation/accessorysetupkit) (prerequisite for pairing)

400

Scan another →Share

skillox.io/r/crawl-gv446a2bs3b7vaoz84km0kcn