Spotify
Security checks across malware telemetry and agentic risk
Overview
This skill coherently controls Spotify on macOS using a Homebrew-installed CLI and AppleScript, with no evidence of hidden data access, credentials, persistence, or destructive behavior.
This appears safe for its stated purpose. Before installing, make sure you are comfortable using Homebrew to install the Spotify CLI dependency and allowing the agent to control Spotify playback on macOS via local commands.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or require the Homebrew 'shpotify' package on the user's Mac.
The skill depends on an external Homebrew package to provide its CLI. This is disclosed and aligned with controlling Spotify, but it is still an external install dependency users should recognize.
"install":[{"id":"brew","kind":"brew","packages":["shpotify"],"bins":["spotify"],"label":"Install spotify CLI (brew)"}]Install only if you trust the Homebrew package source and want a local Spotify command-line controller.
When invoked, the agent may run local commands that change Spotify playback or volume.
The skill documents shell and AppleScript commands that control the local Spotify app. This local automation is expected for the skill's purpose and is scoped to playback actions.
osascript -e 'tell application "Spotify" to play track "spotify:artist:4tZwfgrHOc3mvqYlEYSvVi"'
Use the skill for explicit Spotify playback requests, and be aware it controls the local Spotify desktop app.